Safari extension vs. Safari web extension permissions

Question

Created Dec ’20

Replies 5

Boosts 0

Views 2.8k

Participants 6

Hi!

What is basic difference between Safari extension which has NSExtensionPointIdentifier set to com.apple.Safari.extension and Safari web extension with NSExtensionPointIdentifier value set to com.apple.Safari.web-extension.

I'm asking because to me it seems that permissions for those two work differently.

When I set same set of permissions to manifest.json of extension I have different behaviour.

Case 1:

For com.apple.Safari.extension when user turns on the extension in Safari preferences, there is a popup with question: Are you sure you want to turn on the extension "extension_name"?. User can either cancel it and not turn on extension, or user can click Turn on and allow all extension requested permissions on all pages.

Case 2:

For com.apple.Safari.web-extension when user turns on the extension in Safari preferences, there is no popup, but there are 2 buttons, Edit websites where user can enable/disable extension separately for each and every website and there is Always allow on Every Website which basically does the same as Turn On in first example. But if user does not accept some webpage, when user gets to that page first time and tries to click on extension icon, there will be popup with warning about permissions and with several options for user to allow or disable extension.

To create extension I used safari-web-extension-converter tool which automatically creates Safari web extension, but problem is our users do not like permission behaviour that happens in Case 2.

Is there a way to have Safari web extensions (com.apple.Safari.web-extension) which has behaviour described in Case 1.

Boost

Answer 1

luxu2 OP

Jan ’21

Hi, I have the same question, as the sites are already defined in the manifest permission section, after we turn on the WebExtension, user seems need to click Edit WebSites... or Always allow on Every Website... to consent the permission
From doc
https://developer.apple.com/documentation/safariservices/safari_web_extensions/managing_safari_web_extension_permissions

When the user visits a page where your Safari web extension has not yet been granted access permission, the toolbar item for the extension displays a badge to indicate to the user that action is required to grant permissions. The user may click the toolbar item and select an option to grant permission for a single use, for the day, or for all websites, or to deny permission.

So if the permission is granted in manifest, it this a bug that users have to manually grant the permission again?

0

Answer 2

Engineer OP

Apple

Jan ’21

With Safari Web Extensions, granting permission in the manifest doesn't automatically give your extension access to those web pages.

Users of your extension will need to give your extension access to pages. This is not a bug, it is expected behavior. If you are running into issues with it, please file feedback at https://feedbackassistant.apple.com and explain the issues you are running into.

1

Answer 3

shyamsundar1312 OP

Feb ’22

Hi ,

can u explain why web extensions doesn't have same permission level as app extensions . is it a security/privacy measure ?? .

0

Answer 4

lollimatt OP

May ’22

I would like to understand the reasoning here as well. It seems like a Safari App Extension gets default access to whatever pages the user visits, whereas a Safari Web Extension has to ask for specific web page permissions. I can understand the latter from a privacy/security perspective, but it doesn't make much sense for the former because an App Extension has free rein. Why is an App Extension treated differently from a Web Extension in this case?

For example, 1password's App Extension has access to all sites without an explicit opt-in:

Screen Shot 2022-05-15 at 8.44.54 AM.png

...but Okta's Web Extension does not:

Screen Shot 2022-05-15 at 8.45.00 AM.png

Both have very similar functionality, that of suggesting form-fills for logins on any web site, but because Okta is a Web Extension, it gets treated differently. Why is that? It seems like both App Extensions and Web Extensions should require the same opt-ins or not. Otherwise, it's on the developer to opt for a native App Extension over a Web Extension for the better UX.

0

Answer 5

vsr-gle OP

Jul ’22

Also curious to know why web extensions and app extensions have different permissions? The permissions in Safari for requested hosts are in ask mode by default after installing a web extension. By contrast, in Chrome and Firefox, web extensions permissions for requested sites are in allow mode.

0