Migrating Safari App Extension Website Access to Web Extension Host Permissions

Question

Created May ’21

Replies 2

Boosts 0

Participants 2

Does Safari make an attempt to match previous Website Access for users when migrating an app extension to web extension?

Currently our extension uses this plist config to allow access to all urls.

Code Block <key>Permissions</key>
<dict>
  <key>Website Access</key>
  <dict>
    <key>Include Secure Pages</key>
    <true/>
    <key>Level</key>
    <string>All</string>
  </dict>
</dict>

When migrating to a web extension where the <all_urls> permission is requested, will Safari grant this permission automatically? I understand for new users the model would be to not grant broad host permissions without additional action from the user, e.g. interacting with the browser action, or manually enabling all urls in the extension preferences. But for existing users, are comparable host permissions retained?

If there isn't a migration attempt, is there a pattern extension authors can use to request additional host permissions programmatically when the extensions is updated?

One idea i tried is requesting the all urls permission at runtime, Sadly it doesn't work:

Code Block javascriptchrome.permissions.request({permissions: ["<all_urls>"]})

Boost

Answer 1

Engineer OP

Apple

May ’21

Any existing website permissions that were granted via your App Extension's Info.plist will not be transferred over to your web extension. Users will need to give your web extension permission to access any websites they want the web extension to have access to.

Enabled state will be migrated over, to see some information about how to accomplish that check out the "Migrate Your Users to Your Safari Web Extension" section of:
https://developer.apple.com/documentation/safariservices/safari_web_extensions/converting_a_safari_app_extension_to_a_safari_web_extension?language=objc

You should try to avoid making your extension request permission to all websites on startup. What does your extension do that it needs permission to all websites?

0

Answer 2

georgehenderson OP

May ’21

Thanks @bweinstein for the response. Auto enabling the migrated extension is helpful, but is there a pattern for requesting host permissions for a large list of sites upon install or update?

Our extension automatically saves customers money while shopping on tens of thousands of sites (an ever growing list that changes every day) by automatically applying coupons at checkout among other features. Currently we whitelist sites dynamically through an api where we provide functionality, while remaining silent and inactive on other sites. With the new model, it breaks the automatic nature of being able to signal to our customers savings are available. When we migrate our extension this essentially becomes a breaking change for our customers, since functionality that happened automatically will now require specific host permissions. We have concern the current browser action highlighting that happens on extensions pending host permissions is so subtle most users will miss engaging and saving money. Chrome has talked about making similar host permission changes but have stated that they plan to grandfather existing host permission grants for existing extension installs. They have also spoke about providing opportunities to signal to customers in the page context that an extension can provide additional functionality on a given page or element on the page.

Through testing web extensions it seems there is a max number of sites you can request host permissions from at one time, 30-35? Is there the ability or plan to allow programatic requests for larger lists of host permissions or support for all urls in the future?

0