NSAllowsArbitraryLoads:true being labeled as a security issue

[redhat-raptor]

Hello there,

In the file: node-notifier/vendor/mac.noindex/terminal-notifier.app/Contents/Info.plist NSAllowsArbitraryLoads has been set to true. A code scanning tool is labelling this as a security breach however when I searched for NSAllowsArbitraryLoads in the source code, looks like no code is directly referencing the item. Could anyone clarify what this piece of config is really doing?

Apple also identifies this as a security issue here: https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity/nsallowsarbitraryloads

Help is appreciated!

[jnielson94]

Hello! Terminal Notifier is actually a different project that we utilize to show notifications on mac, https://github.com/julienXX/terminal-notifier. If you'd like to raise the issue there to ask the question I'm not sure on the background there. If they do answer the question, we can implement it here (we've got the distribution file inside the project since we're using an older version and it isn't available in the node ecosystem).

[Yusuf023]

@jnielson94, They have answered @redhat-raptor and mentioned that it could be disabled. https://github.com/julienXX/terminal-notifier/issues/275

cc: @mikaelbr

[idhruvs]

I have created a pull-request with the resolution of this issue. (https://github.com/mikaelbr/node-notifier/pull/362#issue-563542029)