Wednesday, June 08, 2005

Tiger Dashboard Widgets: Cookies

So today I learned at WWDC that a Dashboard widget sending an XmlHttpRequest to a host/path will send applicable cookies that may have been previously set in Safari-land. In essence, you're looking at one big cookie space. However, I was told there's a bug in Widget-land, whereby if a Set-Cookie HTTP header is sent in a response to an HTTP request made by a dashboard widget, it's currently ignored and not being added to the big cookie space. I'll be inquiring more about all this in more in-depth sessions coming-up.

I'd like to take a couple of minutes to remind us all that Dashboard Widgets are full-blown applications that have the ability to do as much damage to your privacy, home directory or system as any other application would. Be mindful of whom you download a Dashboard Widget from, make sure you can always trace a given widget back to a website owner or company. Just because it is listed on Apple's website does NOT mean it is safe for consumption. The barrier to entry for creating a widget is low, very very low, a lot can be done with little scripting knowledge, it's very easy to package and "ship" one.

7 comments:

Anonymous said...

Have you heard of any updates or workarounds to this bug? I've been working on a widget and already came across it... Glad I found your page, otherwise I would have thought the issue was with my scripting.

Chris Holland said...

you might consider building a simple reproducible test case Apple Engineers could look at and submit a bug with it. Feel free to post a URL to your test case here.

Anonymous said...

Actually the widget accesses an HTTP server that is only available behind my company's firewall... But, I was able to (after several hours of tinkering) come up with a workaround. I just call curl from widget.system() and use it to send the cookies the server sends upon login to the widget as variables... Then i reconstruct them into a valid Cookie: string and use XMLHttpRequest.SetRequestHeader to send the cookie with every request as a Cookie: header. I can post the relevant lines of code if you like.
Thanks

Chris Holland said...

Whoaaa, talk about a work *around*. Yeah feel free to post snippets to your heart's content, I'd love to have'em :) Or if you have a blog or personal website, feel free to link to that too. Ok someone still needs to build a simple test case that can be submitted to a bug report to Apple. I'll try and get around to it :)

Anonymous said...

Pete, please post lines of code !!

thx

Anonymous said...

Here is a link to the relevant lines of code... sorry the script is a little messy, but i've added lots of comments that explain what each step does.

If you have any questions just email me.

http://homepage.mac.com/prosenbl/widget/widget.html

Glad I could help guys... later.

Anonymous said...

Thx pete !