NSAllowsArbitraryLoads:true being labeled as a security issue

[redhat-raptor]

Hello,

In file: https://github.com/julienXX/terminal-notifier/blob/master/Terminal%20Notifier/Terminal%20Notifier-Info.plist the value of NSAllowsArbitraryLoads has been set to true. A code scanning tool is labelling this as a security breach. May I know what this property is used for, please!?

I did a quick grep for NSAllowsArbitraryLoads in the source code, however, looks like no code is directly referencing the item. Could anyone clarify what this piece of config is really doing?

Apple also identifies this as a security issue here: https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity/nsallowsarbitraryloads

Help is appreciated!

[julienXX]

Hello @redhat-raptor this was added so that you could use icons with a http link (cf. https://github.com/julienXX/terminal-notifier/blame/3ba9ce569e234062d09c8fd01c4be11e56a9fd1b/Terminal%20Notifier/Terminal%20Notifier-Info.plist#L37) I think this could be disabled, using simple http is really not a good practice nowadays.

[JayBrown]

I heard from a guy who told me that terminal-notifier was flagged as "Trojan / AdLoad" by BitDefender. Maybe that's related?

[winnemucca]

@julienXX how would we change that flag to false? The one in info.plist. I imagine we can fork it. Is this the only option?

[Yusuf023]

@julienXX Is there any change planned to disable this? A code scanning tool is referring to it as a critical security issue.

[julienXX]

@Yusuf023 sure, do you want to make a pull-request for this change?

[idhruvs]

Hi! I have created a new pull-request for resolving this issue. https://github.com/julienXX/terminal-notifier/pull/285#issue-563534367