Safari Browser – Not Safe

By | 2012/04/25

Current versions of Firefox, Chrome, and IE9 have built-in protection or filtering to prevent social engineering execution of XSS and javascript in the URL bar. (As of this writing, Firefox 12, Chrome 18).

The only major browser that currently does _not_ do so well for these protections is Safari. Safari 5.1.5 on OS X Lion allows javascript in the URL bar to be executed.

This can be tested by putting something like either the following in the URL bar and hitting enter:

javascript:void(alert("hi there"))


This is restricted for executing in most browsers, but executes in Safari.


A main security concern around XSS is cookie stealing, so if a user is socially engineered to click a malicious link, or is prone to clicking links in sketchy emails, script could execute that would dump the users authenticated cookie to a malicious attacker’s remote site.

From a security stand point, Safari should not be used to browse unknown sites, click links in emails, and so forth. If OS X is used in your company, I recommend using Firefox or Chrome for your users!

Stay safe,