Search Results

Does the new Safari Web Extensions allow JS injection on iOS? I have a web extension that is currently running on Chrome and Firefox, but I would like to bring it to my iOS users (who currently use it through a Siri Shortcut JS injection).

While I can get a simple webextension to load on my development machine, I can't figure out how to package it for distribution. What are the requirements for doing so? I've tried: Enabling hardened runtime Clicking the checkbox to allow Apple events. Removing the "strip" step from the build process to avoid warnings about code signature being invalidated. Signing both Extension and App with a Developer ID Application certificate. Notarizing the App. Exporting the notarized app. After doing the above, I copy the notarized app to a testing machine. I can then run it. A dialog pops up that says: "Foo extension is currently off. You can turn it on in Safari Extension preferences." But when I click the button to open Safari Extension preferences, the extension is not listed. What am I doing wrong?

My team is developing a web extension and we were also trying to port it to support Safari. The conversion using xcrun was pretty smooth. However, we are not able to download a file to our disk drive, and this is only broken in Safari extension (It works across other browsers and in Safari tab too). I think the issue is that the Download Permission Popup is not appearing for the user, which I got when running the extension in a tab. Here's a gist to help you understand more: domtoimage 			.toBlob(element) 			.then(function (blob) { 				const url = window.URL.createObjectURL(blob); 				saveAs(url, "data.png"); 			}); The above code works across browsers, nothing happens when running as a Safari Web Extension Let me know what you think!

For my extension that shows the latest stock prices, I call browser.browserAction.setBadgeBackgroundColor() to change the badge background to green or red depending on whether the price is up or down. The badge color should be green but it's always red. Is this expected? It's not documented in the compatibility doc here - https://developer.apple.com/documentation/safariservices/safari_web_extensions/assessing_your_safari_web_extension_s_browser_compatibility. See a side-by-side comparison screenshot - https://www.icloud.com/iclouddrive/0XIabSA-GtYrn7zlqnIAkgsIg#Screen_Shot_2020-08-08_at_4.28.47_PM with Chrome 84 on the top and Safari 14 beta 2 on the bottom.

When I enable extension for Safari, and first time I tap on the button, it shows me privacy dialog box and when I grant permission, the dialog box is dismissed and to make my extension work, I have to again click on the extension button. I have requirement that my extension should work only when user taps on the button post enabling the extension. So, for each and every page I visit I need to manually tap on button before my injected content-script comes into action. My background.js is where extension click method is registered and executes, chrome.browserAction.onClicked.addListener(function (tab) { 		getActiveTab(function (tabID) { 				chrome.tabs.sendMessage(tabID, { name: 'inject-content' }); 		}); }); function respond(message, sender, callback) { 		console.log(">>>> PROCESS MESSAGE => " + message); } chrome.runtime.onMessage.addListener(respond); Here, from background script, extension button is handled and when tapped, load() from content-script is called via chrome.tabs.sendMessage() and processes different things. My content-script.js is like, var loadInit = function loadInit(message, sender, callback) {   console.log("SAFARI => " + message.name);   if (message.name == 'inject-content') {    //chrome.runtime.onMessage.removeListener(loadInit)    load();   } }; console.log("SAFARI Message=> "); chrome.runtime.onMessage.addListener(loadInit); function load() { 		console.log("Loading action methods"); 		chrome.runtime.sendMessage({ init: true }); } Here, chrome.runtime.sendMessage() is handled in background script and code in respond() method will be executed. My query is, are we able to avoid second tap we make on extension button after we granted permission for the extension? Should permission grant not execute extension button code without explicit tap second time?

I have been working on an extension which I migrated with xcrun safari-web-extension-converter PATH. When I press extension button on safari toolbar it shows me message like, This extension would be able to read and alter webpages and see your browsing history on this website. This could include sensitive information, including passwords, phone numbers, and credit cards. However, my extension is only accessing url to bookmark it and localstorage to access user tokens, tabs so new tab with somedomain.in can be opened open bookmarked link into new tab. Here is excerpt from manifest.json, "permissions" : [   "*://*.domain.in/*",   "activeTab",   "storage",   "notifications",   "tabs"  ], "optional_permissions": ["activeTab", "*://*.domain.in/*"],     "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",  "web_accessible_resources": [   "corner.css",   "js/init.js",   "init.bundled.js",   "js/jquery.min.js",   "js/taggle.min.js",   "js/typeahead.bundle.min.js",   "ext.html.js",   "assets/*"  ], It feels access to sensitive information is a bit scary for extension which just stores and manages URLs. Would you suggest me any solution over here so I can use limited permission and avoid sensitive info message..?

I have working cross-platform extension which I converted for Safari using xcrun safari-web-extension-converter PATH. Goal of extension is to bookmark any URL into my website account. My extension is perfectly working fine for Chrome but for Safari version, everything works well if user allows access permission for every website. The case is, when user presses extension button, we are checking user is logged into its account or not by opening our website URL into another tab. var openSignin = function openSignin() { 	console.log('hey'); 	chrome.tabs.create({ url: _config.baseURL + '?extension=1', active: false }); }; When this AUTH tab is loaded, following method will be called as it happens in Chrome which in turn extracts public and private tokens generated when any user logs into our website. chrome.tabs.onUpdated.addListener(function (tabID, changeInfo, tab) { if (tab.status == 'complete' && tab.url.startsWith(_config.baseURL)) {   chrome.tabs.executeScript(tab.id, { code: 'localStorage.getItem("PUBLIC")' }, function (r) {    localStorage['PUBLIC'] = JSON.parse(r[0]);    chrome.tabs.executeScript(tab.id, { code: 'localStorage.getItem("PRIVATE")' }, function (r) {     localStorage['PRIVATE'] = JSON.parse(r[0]);     if (localStorage['PRIVATE'] && tab.url === _config.baseURL + '?extension=1') {      chrome.tabs.remove(tabID);     }    });   });  } }); The issue lies here is that until user does not grant for "Always Allow on Every Website" (I mean grant permission for https://www.OURDOMAIN.com/extension?extension=1), chrome.tabs.onUpdate is giving tab.url = "" and it does not give proper URL value so we come to know that particular user is signed in or not (we don't get that our domain tab is loaded or not due to this issue). Do we have any way to allow access for our website without user's consent? Following is our manifest.json: { 	"name": "EXT NAME", 	"description": "DESCRIPTION", 	"manifest_version": 2, 	"version": "1.0.181", 	"minimum_chrome_version": "23", 	"offline_enabled": true, 	"browser_action" : { 		"default_icon" : { 			 "64": "logo/stash.png" 		}, 		"default_title" : "Add to Stash" 	}, 	"background" : { 		"scripts" : [ 			"bundle.js" 		] 	}, 	"content_scripts": [{ 			"js": [ "init.bundled.js" ], 			"matches": [ "<all_urls>" ] 	}], 	"icons": { 		 "16": "logo/stash_small.png", 		 "64": "logo/stash.png" 	}, 	"permissions" : [ 			"https://*.stash.ai/*", 		"activeTab", 		"gcm", 		"storage", 		"notifications", 		"identity", 		"contextMenus", 		"tabs", 		"idle" 	], 	"externally_connectable": { 		"matches": ["https://*.stash.ai/*"] 	}, 	"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'", 	"web_accessible_resources": [ 		"corner.css", 		"js/init.js", 		"init.bundled.js", 		"js/jquery.min.js", 		"js/taggle.min.js", 		"js/typeahead.bundle.min.js", 		"ext.html.js", 		"assets/*" 	], "commands": { 		 "_execute_browser_action": { 			 "suggested_key": { 				 "default": "Ctrl+Shift+S", 				 "mac": "Command+Shift+S" 			 }, 			 "description": "Send a link to Stash!" 		 } 	 } } Please check permissions and content_scripts properties where I tried to put proper options but no solution. I event tried externally_connectable but still without user's consent I am not able to receive proper URL for that particular tab. Would you suggest me any solution of how I can authenticate my user here? The main authentication is done backend side only and I am not using any API here. I am just opening new tab which if loaded successfully authentication will be validated. I hope my problem is clear. If there are any queries let me know.

At present I have safari app extension which supports macOS version 10.13. 6 and 10.12. If i switch to Safari web extension, their support will be lost. Is there any plan for deprecation of safari app extension.

The following keys in your manifest.json are not supported by your current version of Safari. If these are critical to your extension, you should review your code to see if you need to make changes to support Safari: storage webRequestBlocking incognito privacy What am I supposed to use for webRequestBlocking with Safari? (Seems this would be one of the most desired keys for web extensions?)

In her WWDC20 talk, Ellie Epskamp-Hunt mentioned in passing that you should assume that just because DOMContentLoaded has occurred that the script is loaded (for example, user might have to give it permission to load). But she doesn't say how you should determine that the script has loaded. How should you do that?

I have an app that primarily revolves around a WKWebView. A community has created quite a few browser extensions around the website that my app as a client for. I would love to allow users to incorporate those extensions easily. Is there a way to do that?