Shared publicly  - 
 
TLDR: iOS6 Mobile Safari can turn on your Javascript preference without asking you.

I haven't seen this mentioned anywhere... iOS 6.0 added a "smart app banner" feature to Mobile Safari. Basically you can add a compact and non-ugly "buy me on the App Store!" banner to a web page by adding a single meta tag. That's cool for Apple-based developers. (Example: http://zarfhome.com/meanwhile/ . Only visible in iOS Safari, obviously.)

The catch: if you have Javascript turned off in your Safari preferences, and you visit a page with one of these banners, Safari silently turns Javascript back on. Not temporarily; it just flips your preference and leaves it that way.

(I know only crazy people turn off Javascript, that's not the point.)

I filed a bug with Apple.
16
2
Edward O'Connor's profile photoAndrew Plotkin's profile photoStuart Hicks's profile photoDean Casey's profile photo
15 comments
 
That is not ideal. Good on you for filing a bug.
 
JAVASCRIPT IS ESSENTIAL TO THE MODERN WEB YOU LUDDITE IT'S PERFECTLY SAFE AND ANYWAY I'M ONLY GOING TO PUT THE TIP IN AND STEVE KNOWS BEST RRRARRRGH!
 
Wow.  That's a kinda major bug there.
 
TIL I'm a crazy person. That and the host of other security conscious behaviors I engage in must have me on some kind of watchlist. <peeps out blinds>
 
That's fairly terrible. Hope to see this resolved shortly.
 
If you can confirm this, I'm sure Ars or /. or whoever would be interested. And would post massive flamewars about it, heh.
 
What is to confirm? I tried it. It happened. You're welcome to try it too.
 
Hmmm, hadn't noticed, but I usually use Chrome on my iDevices. . . I don't like the idea of an app changing preferences though, definitely not OK
 
Experimentation may show that the behavior extends across all iOS web content, since it's all implemented via the embedded WebKit.  So, this may impact the web views inside Twitter clients, the content rendered by Chrome, et cetera.

(I'm aware enough to see the risk, but not interested enough to run that test myself -- I'm a Mobile Safari user, and would not consider switching primary browsers, and am already worked up enough about the bug.)
 
A quick test in this client (iShare+) and also in Echofon indicates that banners do not appear in their webviews. It appears to be a feature of the Safari app only.

Client webviews normally have javascript on, anyhow. They're not affected by the Safari preference to turn it off, and -- now that I look -- they don't even have an API option for the hosting app to turn it off. So the point is exceptionally moot.
Add a comment...