WebExtension always need to manually consent for host permissions

Question

Created Sep ’20

Replies 7

Boosts 0

Views 1.8k

Participants 3

Hi,
I am testing my Safari 14 WebExtension, my extension will make requests towards my server and injects scripts on every websites.
I configured the manifest host permission:

Code Block javascript"permissions": [
  "tabs",
  "cookies",
  "https://*.trexcloud.com/*",
  "https://*/",
  "http://*/",
  ...
 ],

trexcloud.com is my server, but when I firstly enabled my extension, Safari still need to manually consent for host permissions, either when I go to my server or any other websites
Here is the screenshot

Can I bypass the manually consent step? It is a one time config, but it still feels like unnecessary since the host permission is already listed in manifest and it is not very friendly to end users.
Or is it a must required step for Safari WebExtension?

Thank you very much

Boost

Answer 1

lu.xu OP

Sep ’20

I updated Safari 14 from Version 14.0 (14610.1.20) to Version 14.0 (14610.1.26), seems this issue is resolved.

Thanks

0

Answer 2

lu.xu OP

Sep ’20

Update: it seems still need to manually grant the permission when it is first time install.
Safari will remember the grant, so it is the only one time config, but according to https://developer.apple.com/documentation/safariservices/safari_web_extensions/managing_safari_web_extension_permissions

If the host permission is listed in manifest, seems extension should not ask for grant

0

Answer 3

structankit OP

Sep ’20

This issue is not fixed for me on Safari 14 (15610.1.26)

No matter how I specify the host permissions, the extension still needs to be manually granted the permissions for that domain unlike in other browsers using the same extension code and manifest.

I even tried adding SFSafariWebsiteAccess to the Info.plist, but it seems that's only used by App Extensions and thus ignored.

1

Answer 4

lu.xu OP

Sep ’20

Hi structankit,
Did you figure out the solution? I made a mistake in one of my reply, it is NOT fixed for me on Safari 14610.1.26 either, still need to manually grant.

0

Answer 5

structankit OP

Sep ’20

On the released version of Safari they still require the user to manually grant the host permission, and unlike in the docs it doesn’t prompt users to grant it.

This actually kills the security for our extension because now we’re going to have to remove the httpOnly property for our domain cookie. Or it means a degraded UX if login is handled by the macOS app.

0

Answer 6

Frameworks Engineer OP

Apple

Sep ’20

Unlike other browsers, Safari requires time-of-use granting of host permissions to allow script injection and other extension APIs to return results for each domain. This is a privacy feature, and is by design and is behaving correctly.

If the passive permission request do not work, you can use browser.permissions.request(...) to prompt the user for host permissions via optional_permissions.

This is covered here: Meet Safari Web Extensions

2

Answer 7

structankit OP

Sep ’20

Thank you Timothy. I was going to respond to this thread to state that exact solution as what we ended up discovering and working around. Since the permissions key means something different in other web browsers, the Apple documentation did not make it clear that this was going to work differently for Safari. Only through repeated web searching and Apple developer forum searching was I able to find that solution.

0