Pixel Envy

Written by Nick Heer.

Security Theatre in Safari Download Permissions

You know how Safari now requires you to confirm that you want to allow file downloads per domain? It’s not just irritating; it is also sometimes mere theatre.

Consider this tweet from Craig Hockenberry:

If you view the Twitter website in Safari on Mojave and/or Catalina, you’ll probably enjoy this extension app I wrote:

https://files.iconfactory.net/software/Fixerrific-1.0+5.zip

It makes the navigation scroll and hides “Trends” & “Who to follow”. Two lines of code that improve things immensely. Enjoy!

If you click the link to download the file, Safari will ask you if you want to allow downloads on “t.co” — Twitter’s URL shortener — which is a problem for two obvious reasons:

  1. The file is not being downloaded from t.co, but from files.iconfactory.net, so the prompt is lying.

  2. Confirming that you do want to allow downloads from t.co does, apparently, allow you to download any and all files from links posted on Twitter without further confirmation. I tried downloading another archive and I was not asked if I want to allow downloads.

Twitter’s URL shortener works by creating 301 redirects, but Safari apparently doesn’t follow those to their destination URL. In some cases, that probably makes sense — large file downloads are often hosted on CDNs with inscrutable addresses. It does, however, mean that whatever way this is supposed to benefit security or privacy is easily defeated if downloads are redirected through common URL shorteners.