search

usnistgov / macos_security

macOS Security Compliance Project
Other
1.78k stars 200 forks source link

safariAllowPopups doesn't work in Sonoma (and possibly earlier versions) #335

Open isaacatmann opened 11 months ago

isaacatmann commented 11 months ago

Summary

The current remediations for blocking popups in Safari is no longer applied via config profile. This is verified by navigateing to https://nsc.puresafety.com/Login/PopupTest with the profile insatlled enforing safariAllowPopups.

Steps to reproduce

Go to Safari > Settings > Websites > Pop-up Windows Change When visiting other websites: Allow Quit Safari Install Config profile recomemnded here with com.apple.Safari - safariAllowPopups payload Open Safari Navigate to https://nsc.puresafety.com/Login/PopupTest

Toggle Change When visiting other websites: to various settings quit re-open https://nsc.puresafety.com/Login/PopupTest to observe various results.

Operating System version

macOS Sonoma

Intel or Apple Silicon

Both

What is the current bug behavior?

Popups are not blocked

What is the expected correct behavior?

Popups blocked

Possible fixes

So far I've found that pop up blocking is no longer a binary yes/no decision and is a per site with a "All others" setting. This is stored in a sqlite database.

Verifying the seting is done via

sqlite3 ~/Library/Safari/PerSitePreferences.db 'select * from default_preferences' | grep PerSitePreferencesPopUpWindow

There are now 3 options: block, block and notify and allow.

Per site settings can be overridden in the same database by the user and can be reported via

sqlite3 ~/Library/Safari/PerSitePreferences.db 'select * from preference_values' | grep PerSitePreferencesPopUpWindow

isaacatmann commented 11 months ago

Update, resolution is as follows:

sqlite3 ~/Library/Safari/PerSitePreferences.db 'UPDATE default_preferences SET default_value=0 WHERE preference="PerSitePreferencesPopUpWindow";'

default values:


2= allow
1= block
0= block and notify```
isaacatmann commented 11 months ago

Update better detection

Detection:

sqlite3 ~/Library/Safari/PerSitePreferences.db 'select default_value from default_preferences WHERE preference="PerSitePreferencesPopUpWindow"'
Result should be 0 or 1
robertgendler commented 3 months ago

Sorry it took a while to come around to this.

Testing with macOS 14.5 and the profile installed and testing your website. It is blocking popups for me. Now once the profile was installed I had to restart Safari. But that's typical of a lot of applications when a configuration profile is applied.

Are you still seeing undesired behavior?

jmahlman commented 2 months ago

CIS has updated the guidance for this rule and moved it to a manual audit. Since the config profile does not work, we have removed the rule from the Sequoia branch and will backport to others.

https://github.com/usnistgov/macos_security/commit/4d4d71ca1693c60b59e73b97eb57ebe8c1b369dd