6.4 Safari disable Internet Plugins for global use

Information

Starting with Safari 10 and continuing with 11 Apple changed the model on how the built-in web browser handles Internet Plug-Ins. Instead of using a global approach where the Plug-in is either on or off for all sites the default decision is about allowing, not allowing, or allowing permanently for a specific site that is visited. Other browsers are moving to stop using Plug-ins altogether and insist on the use of HTML 5 for rich content. Only allowing Plug-in content from specific sites is a viable security option. In the Security Preferences, Plug-in settings it is possible to override the security feature and enable Plug-in content globally by Plug-in. With the controls planned in other macOS browsers allowing content globally is likely to put Safari users more at risk than other browser users.

There are three options for Internet Plug-ins with Safari 10 'When visiting other websites' Ask, Off or On. The on setting should not be used.

https://support.apple.com/en-us/HT202819

Rationale:

Allow Internet Plugins only on required sites

Impact:

Users will have to approve Internet Plugin use by site.

Solution

Select either ask to use or block

See Also

https://workbench.cisecurity.org/files/3092

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: 58afac795523e6545946caa355e840cb236ca1c843b6351515c7e36198b36143