tabs.query only returns tabs with urls to which the user granted access - unlike on Chrome & Firefox

Question

Created Sep ’20

Replies 4

Boosts 0

Views 1.9k

Participants 2

Hi there,

I am in the process of porting my Chrome / Firefox Extension »Tab Ahead« to Safari. The source-code is on https://github.com/janraasch/tab-ahead

Using "xcrun safari-web-extension-converter" I was able to get a nice Xcode Project and the extension works.

I did find one difference in behavior though: The extension uses tabs.query to retrieve a list of all tabs. On Chrome & Firefox setting the "permissions" to ["tabs"] in the manifest.json does the trick. On Safari there are two issues:

Every time time the user clicks the pop-up on a page they did not previously grant permission to access they are asked for permission.
And, tabs.query only returns tabs with urls the user previously granted access to.

I did solve this by also asking for the "<all_urls>"-permission, but that makes it seem like my extension does all kinds of things :-) or at least it could do all kinds of things, but really it does absolutely nothing on any page. It's only about the urls and titles of open tabs.

Maybe I am overlooking something, but this does seem overly restrictive for any "tabs management"-extension and also this is misleading to the user of any such extension - I think.

Let me know, if there is another way to make tabs.query work the way it does on Chrome & Firefox.

Kind regards,
Jan

PS:

I am running this on Safari Version 14.0 (15610.1.28.1.7, 15610)

Also, I posted this as feedback as well. The ID is FB8705146.

Answered by Frameworks Engineer in 637832022

I tried converting your Tab Ahead Chrome extension using the Safari conversion tool. The permission alert that happens when doing a browser.tabs.query() is the expected behavior and will remain in Safari. Unlike other browsers, Safari requires the user to give site permission to access tab URLs and titles at time of first use, not time of extension install. This is why you see no alerts about permissions when enabling a web extension in Safari.

I see why you would think you need to add <all_urls>, since that shows the "Always Allow on Every Website…" button in preferences. Safari should give users that option when just the "tabs" permission is used, since there is an expectation that tab managers like yours need access to all tabs. I will use your feedback request to track changes to Safari in that area.

You can use browser.permissions.request({origins: ['<all_urls>']}) to upgrade your extension later to get the "Always Allow on Every Website…" button. This will not grant all permissions, just the ability to ask the user to allow it. The user will still need to take action at time of use to allow one site, or all sites. (You will also need to put <all_urls> in optional_permissions in the manifest.)

Thanks for the info and feedback!

Boost

Answer 1

Frameworks Engineer OP

Apple

Sep ’20

The URL and title of the page is considered sensitive information. Calling tabs.query() should prompt the user for permission to the requested tabs (via a badged toolbar button or sometimes an alert) if permission has not already been granted. You should not need <all_urls> to simply get the url or title in the query, the tabs permissions is enough here. If you find otherwise, please attach a sample extension to the feedback you filed so we can investigate. Thanks!

0

Answer 2

janraasch OP

Sep ’20

Hi Timothy, thank you very much for your timely and detailed reply.

I think you understood my issue, but I am not sure, if I get your answer completely, so let me hit you with a few follow-up questions so I can make sure I understand you correctly.

You said that

The URL and title of the page is considered sensitive information. Calling tabs.query() should prompt the user for permission to the requested tabs (via a badged toolbar button or sometimes an alert) if permission has not already been granted.

Then, my follow-up question is "What's the use of the tabs-permission?".

I'll give more context so it's hopefully easier to understand where I am coming from here.

On Chrome and FireFox (where my Extension is already running) the user is only asked for her consent (to the "tabs"-permission) once at the time of installing the extension. After that, is does not matter which URLs / websites the user currently has opened in her respective tabs: The user can always open the extension Pop-Up and search through all her tabs (i.e. the tabs.query is called) without being asked for any further permission.

So that's where I see the difference. Can you confirm this? Am I getting this correctly?

Now you may also understand *why* I added the <all_urls>-permission: Safari is supposed to ask for permission depending on the URLs / websites which are currently open, *as you said*, but I wanted to establish the same behavior I have on Chrome & FireFox.

So I suppose the third and final question now is: Will this difference in behavior remain in Safari? If yes, it seems like I need to add the <all_urls>-permission to enable a seamless user experience.

I uploaded the XCode project and the "Resources"-folder of the extension on the feedback-ticket, but it's all open-source as well:

The tabs.query-call is here: https://github.com/janraasch/tab-ahead/blob/master/app/scripts/popup.coffee#L45
The manifest.json is to be found at: https://github.com/janraasch/tab-ahead/blob/master/app/manifest.json
And here is the manifest.json is I played around with to make it work on Safari w/o all the permission-popups: https://github.com/janraasch/tab-ahead/blob/safari/app/manifest.json

If you want to checkout how the behavior is on Chrome you can download the extension from https://chrome.google.com/webstore/detail/tab-ahead/naoajjeoiblmpegfelhkapanmmaaghmi

For Firefox go to https://addons.mozilla.org/en-US/firefox/addon/tab-ahead-firefox/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search.

Let me know, if you need anything else.

Kind regards and thank you,
Jan

0

Answer 3

Frameworks Engineer OP

Apple

Sep ’20

Accepted Answer

I tried converting your Tab Ahead Chrome extension using the Safari conversion tool. The permission alert that happens when doing a browser.tabs.query() is the expected behavior and will remain in Safari. Unlike other browsers, Safari requires the user to give site permission to access tab URLs and titles at time of first use, not time of extension install. This is why you see no alerts about permissions when enabling a web extension in Safari.

I see why you would think you need to add <all_urls>, since that shows the "Always Allow on Every Website…" button in preferences. Safari should give users that option when just the "tabs" permission is used, since there is an expectation that tab managers like yours need access to all tabs. I will use your feedback request to track changes to Safari in that area.

You can use browser.permissions.request({origins: ['<all_urls>']}) to upgrade your extension later to get the "Always Allow on Every Website…" button. This will not grant all permissions, just the ability to ask the user to allow it. The user will still need to take action at time of use to allow one site, or all sites. (You will also need to put <all_urls> in optional_permissions in the manifest.)

Thanks for the info and feedback!

0

Answer 4

janraasch OP

Sep ’20

Hi Timothy, thank you again for replying so quickly and in such a professional fashion 👍🏻.

Now everything is 100% understood.

I see why you would think you need to add <all_urls>,
since that shows the "Always Allow on Every Website…" button in
preferences. Safari should give users that option when just the "tabs"
permission is used, since there is an expectation that tab managers like
yours need access to all tabs. I will use your feedback request to
track changes to Safari in that area.

I really appreciate you moving forward with this 💯.

Thanks for the info and feedback!

Absolutely.

Kind regards,
Jan

0