Why does Safari 14 Beta on macOS Big Sur Beta open custom URLs in its own Sandbox Container?

We have a non-sandboxed app that uses a custom URL scheme to allow redirection of certain tasks from Safari to our app, when installed, and with permission from the user.

In the latest Beta of Safari 14 on macOS Big Sur Beta, Safari launches our app in its own Sandbox Container. This obviously breaks our software, which expects and requires a "normal" environment.

This is a regression in Safari. It still asks for permission before opening every single custom URL. Users still have to install our notarized software beforehand on their systems in order to access these custom URLs.

I tried filing a bug. Tried a DTS ticket. No reply to either. Does anyone know of this problem, and know of a workaround? Our software obviously cannot escape Safari’s sandbox container. At best we can detect it, right now, but our software is broken 😫

For the record, if the user launches our app *before* attempting to open the custom URL, then Safari is more than happy to pass along the URL to the running instance of our software (which is great). But if Safari has to launch our app in order to process the custom URL, our app lives within the confines of Safari’s container.

Up vote post of FxFactory Down vote post of FxFactory
1k views
Posted by
FxFactory
Reply
Add a Comment

Accepted Reply

Did you have to enable the sandboxing somehow or was it automatic?

I have a report from a customer of mine of a problem with my application in the Safari sandbox on Big Sur. However, I just installed Big Sur beta 9, including Safari 14.0.1, and I don't have a problem. How can I tell if the application is running in the sandbox?
Posted by
hmof
Up vote reply of hmof Down vote reply of hmof
Post marked as solved
Add a Comment

Replies

Did you have to enable the sandboxing somehow or was it automatic?

I have a report from a customer of mine of a problem with my application in the Safari sandbox on Big Sur. However, I just installed Big Sur beta 9, including Safari 14.0.1, and I don't have a problem. How can I tell if the application is running in the sandbox?
Posted by
hmof
Up vote reply of hmof Down vote reply of hmof
Post marked as solved
Add a Comment
macOS Big Sur Beta 9 mostly fixes this problem, with a strange exception. The reason you may not be able to reproduce the problem is that maybe your customer hasn't had a chance to update to Beta 9 yet.

In Beta 9 when our non-sandboxed app is launched as a result of a custom URL invocation from Safari, it gets the correct UNIX/POSIX environment (home folder, system folders, etc). BUT, for unclear reasons, the sandbox container ID as reported by the process’s environment variable APPSANDBOXCONTAINER_ID is still Safari’s.

This seems extremely unusual, as if the fix is only partially there. Unclear what else may be different about an app that runs under a different app’s Sandbox Container ID. 🤔
Posted by
FxFactory
Up vote reply of FxFactory Down vote reply of FxFactory
Add a Comment

macOS Big Sur Beta 9 mostly fixes this problem, with a strange
exception.

I’d appreciate you filing a bug about that strange exception. Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment