I just updated to 10.4.3, and after the first reboot Little Snitch reported a network request by Dock.app to apple.com -- something which had never happened before. The first time I let it slip, but the second request came when I opened Dashboard for the first time, and this time I started tcpdump before granting access.
Among the expected traffic (updating the weather forecast) was a rather unusual request:
22:19:57.059318 IP (tos 0x0, ttl 64, id 27097, offset 0, flags [DF], length: 147) 192.168.0.4.50428 > www.apple.com.http: P [tcp sum ok] 1:108(107) ack 1 win 65535 0x0000: ..[.q>..$..^..E. 0x0010: ..i.@.@......... 0x0020: .[...P..B.N.fvP. 0x0030: ...\..GET./widge 0x0040: ts/widget.info.H 0x0050: TTP/1.1..User-Ag 0x0060: ent:.CFNetwork/1 0x0070: 0.4.3..Connectio 0x0080: n:.close..Host:. 0x0090: www.apple.com... 0x00a0: .
...i.e., an HTTP request for http://www.apple.com/widgets/widget.info, with a user agent of CFNetwork/10.4.3 (CFNetwork is Apple's new networking API introduced with OS X 10.4). The requested plain-text document is as succinct as it is weird:
...and that, as far as I can see, was the full conversation. (I've omitted the reply's HTTP headers as they contain nothing unusual.)
This conversation contains no identifying information, no serial numbers or unique identifiers apart from my IP address, so I'm not really worried about my privacy. And as a Mac user you quickly get accustomed to applications phoning home. But still, usually this happens to check for application updates, so this seemingly senseless request is a bit unordinary, even more so coming from an Apple application.
I'm not really clear about what this means -- at the very least Apple at some point in the near past chose to be notified of certain user actions; maybe they simply want to monitor how often their Dashboard service is used, and in which countries.
But as long as I have no immediate benefit from this transaction I'd like to have a choice to disable these requests, so I started searching for a preference to turn them off -- but there seems to be no plist file that contains the requested URL string, and the Dashboard application doesn't contain it either, nor do the two widgets I use (Apple's weather widget and Widget Machine's Flip Clock). In the end I found the string hard coded in the Dock.app binary:
/System/Library/CoreServices/Dock.app/Contents/MacOS $ strings Dock | grep widget.info http://www.apple.com/widgets/widget.info
There seems to be little information on this on the web -- a Google search leads to a short discussion in the MacMod forum which more or less documents exactly the same, and at least shows that other people have found this on their systems as well (notably also by having Little Snitch running in the background). And that's about it.
I'd like to document the circumstances under which this kind of traffic occurs, so contact me or write a comment if you find additional information -- e.g. it would be interesting to know if this has been introduced with 10.4.3, so if you haven't updated yet you could check if your Dock binary also contains the same URL.
(By the way, other strings you can find in the Dock binary: "Bunny Rabbit", and "Dashboard: delete widget thread could not create timer. You are hosed".)