Clean Room

Tuesday, October 30th, 2007

So I was curious how Apple’s was implementing the new “You’re opening an Application downloded from the internet!” dialog, particularly because of the extra information that items downloaded with Safari are given.

First off, it seems like that information is stored in the extended attribute, which is a binary plist. Use mdls filename to view just the Spotlight information about a file. First item seems to be the URL, and the second is optional and contains the referrer.

That’s all well and good, but what’s actually causing that dialog to display, and then go away again later?

So using the shiny new xattr utility, I took a look around. I found the key. For a typical Safari download, it looked something like this: 0000;4727b833;Safari;211E2770-C08D-487B-A602-3EDBC7D34124|

For a Firefox (Minefield actually) download it looks more like this: 0000;4727bb8d;Minefield;|org.mozilla.firefox

The GUID is probably related to the kMDItemWhereFroms, and is what the dialog is actually pulling the “Show Web Page” and “downloaded from” information. By the way, it turns out that attribute gets set for all writes, including caches, Firefox profiles, etc. Probably a good thing.

fs_usage data supports the theory that that mdworker is seeing the kMDItemWhereFroms attribute and setting appropriately, but I can’t really be sure yet (I haven’t tried DTrace).

I was still a little confused (and concerned) as to how Apple was setting this bit on writes from Firefox, which has no special code, or regular writes from Safari, so I tried an experiment: I copied Minefield, edited it’s CFBundleIdentifier to be something non-sensical (in this case and tried downloading a file. The attribute wasn’t set.

So Apple’s doing bundle ID sniffing. Awesome. For the sake of completeness, I tried something else. I tried the same trick on Safari (this time used org.cooldude.CoolBrowse). I was further surprised to find that again all writes from CoolBrowse have the attribute set.

Really, I’m not sure what is going on here.

It looks like the xattr is actually set somewhere in the kernel (perhaps in seatbelt.kext?) I’m still curious as to how Safari’s getting special treatment here, and if other apps need (or want) to opt in.

I’m definitely not done figuring out what’s going on here, but I figured I’d put what I know so far up. Big thanks to Mike Ash and Alexander Strange for helping out.

Edit: Well I’ll be damned. Check out LSQuarantine.h. It speaks volumes about either me or Apple (or both!) that I didn’t even think to check for anything public.


  1. Smokey Ardisson replied on October 30th, 2007:

    Only the first three paragraphs of this appear on planet.m.o, and there’s no indication there that there’s more to read here :(

  2. Boris replied on October 30th, 2007:

    For the sake of those of us not privileged to have a copy of 10.5, what’s in LSQuarantine.h?

  3. Colin replied on November 1st, 2007:

    @Boris It’s a bunch of constants you can pass to LSCopyItemAttribute and LSSetItemAttribute.