We have a few content scripts designed to run mostly on our domains with maybe a couple of exception of specific sites where we provide exact URLs, (no wildcards). We do use wildcard for own domains though but that includes at least top level domain.
Safari still doesn't allow the web extension to inject content scripts into these pages until the user explicitly allows them. And this would be fine except when using all_frames option which is actually supported by Safari but is not taken into account when requesting permission from the user. So when user clicks "Always allow on this site" it only includes the top level page but not the iframes within which also require their own instance of content script. And the user has no chance to allow that unless they use "Always allow on all sites" option but it's not like we're going to guide every user to use that option.
Is it possible to trigger the prompt for access programmatically or indicate that Safari should give access to certain domains by default?
This is a good use case that would be nice to address. Can you file feedback at Feedback Assistant?
In the meantime, you can use the browser.permission.request() API to prompt for permissions. Those will affect content script injection too.
