Article

About Permissions for Scripts and Style Sheets

Learn about URL permissions for scripts and style sheets in a Safari App Extension using information property list keys.

Overview

If you specified Some or All access for your Safari App Extension, then scripts or style sheets provided by your app extension are injected into the webpage. By default, the setting is All access, so all scripts and style sheets are injected into the webpage. However, you can set separate, precise controls for each file that define whether it should be injected into the webpage.

For each file you add to the SFSafariContentScript and SFSafariStyleSheet sections of your app extension’s Info.plist file, you create a dictionary to describe the file. The required key specifies a path to the file. If you don't specify any optional keys, the file is injected into any website. You can add additional keys to this dictionary to permit or prevent injection of the file.

For both SFSafariContentScript and SFSafariStyleSheet, a key’s Allowed URL Patterns and Excluded URL Patterns subkeys work in conjunction with the SFSafariWebsiteAccess key to specify accessible webpages. First, access is limited by the SFSafariWebsiteAccess values, then the Allowed URL Patterns and Excluded URL Patterns keys are applied. Here’s how these keys work:

  • If you don't specify either key, the file is injected into any website.

  • If you specify the Allowed URL Patterns key, the file is injected only into webpages whose URL matches one of these patterns. The value for this key is an array of domain patterns.

  • If you specify the Excluded URL Patterns key, the file is not injected into any webpages whose URL matches any of these patterns. The value for this key is an array of domain patterns.

These restrictions are in addition to those set in the SFSafariWebsiteAccess values. If you specify Some access for your app extension, for example, you have access only to the domains matching your provided domain patterns. Items in Allowed URL Patterns and Excluded URL Patterns create additional restrictions within those domains. Be sure all the items in your Allowed URL Patterns are within a domain you have access to.

URL Patterns

A URL pattern takes the form Scheme://Domain/Path.

  • Scheme can be http or https.

  • Domain is the host domain, such as developer.apple.com or www.example.co.jp.

  • Path is the directory or webpage, such as safari/ or safari/library/navigation/index.html.

A URL pattern can include the asterisk (*) character to match any string. Using an asterisk, you can specify all pages in a particular domain, for example, without having to create an exhaustive list.

The asterisk character can be used anywhere in the domain or path, but not in the scheme. Here are some examples:

  • http://*/*—Matches all HTTP URLs.

  • http://*.example.com/*—Matches all webpages from example.com.

  • http://subdomain.example.com/*—Matches all webpages from subdomain.example.com.

  • http://www.example.com/thepath/thepage.html—Matches one webpage.

  • https://*/*—Matches all webpages that are delivered over HTTPS.

  • https://secure.example.com/accounts/*—Matches all webpages from the accounts directory of secure.example.com that are delivered over HTTPS.

See Also

Access and Permissions

Setting Safari App Extension Feature Keys

Set keys for permissions, scripts, style sheets, contextual menu items, and toolbar items in the information property list file.

Adjusting Website Access Permissions

Set website access permissions in a Safari App Extension using information property list keys.