Security and usability improvement for webbrowser.open() on macOS: Replace osascript with /usr/bin/open

secengjeff · April 12, 2026, 10:02pm

Hi everyone,

I’d like to discuss modernizing the macOS implementation of webbrowser.open() and gather feedback/support for merging PR #146439.

Current Issues

The existing MacOSXOSAScript class constructs a short AppleScript and executes it via osascript. While this has worked reliably for many years, it introduces two clear concerns:

User Experience

On managed enterprise Macs (common in corporate environments using MDM/EDR tools such as CrowdStrike, SentinelOne, Jamf, or Santa), osascript is frequently monitored or restricted because of its history of abuse in malware campaigns. When restrictions apply, webbrowser.open() can fail silently or with unclear errors, creating a frustrating experience for Python developers and applications.

Security Risk

osascript is a general-purpose scripting interpreter and a classic Living-Off-the-Land binary (LOOBin). It was used on macOS in the recent Axios npm supply-chain attack (March 31, 2026), where malicious code wrote an AppleScript to a temporary file and executed it silently.

Even though the recent PATH-lookup vulnerability has been addressed in the PR, relying on osascript still poses issues:

It requires constructing and executing AppleScript code, a more powerful mechanism than needed for the simple task of opening a URL. AppleScript can run shell commands, interact with other applications via Apple Events, and perform many other actions.
Using a general scripting tool (instead of a limited, purpose-built utility) increases the overall attack surface of the standard library and makes the code more likely to be flagged by security tools.
It keeps Python tied to a binary that security teams often treat with caution due to its real-world abuse in supply-chain attacks and infostealers.

Proposed Solution

PR #146439 introduces a new MacOSX class that replaces the legacy code with Apple’s purpose-built /usr/bin/open utility (called via absolute path and subprocess.run with an argument list):

Uses open -b <bundle-id> for known browsers (e.g., com.google.Chrome), explicitly targeting the intended application.
Safely routes non-HTTP(S) URLs through a browser to avoid unintended OS file-handler behavior.
Eliminates AppleScript construction entirely.
Deprecates the old MacOSXOSAScript class with a clear DeprecationWarning.

The change preserves full backward compatibility, including support for named browsers, while simplifying the code.

paulehoffman · April 12, 2026, 10:56pm

This seems like a good change, particularly because it uses Apple’s preferred method for opening “a browser”.

frantictyping · April 17, 2026, 12:43pm

+1 to this idea, I’ve worked in a number of security teams where Python’s use of OSAScript in this manner has been a consistent thorn.