Thursday, September 26, 2019

Safari 13 and Extensions

Apple (Hacker News):

Removed support for Legacy Safari Extensions

1Password:

Moving forward, the use of 1Password with Safari will require 1Password 7, which fully supports the latest Safari and macOS releases.

[…]

We’ve been asked if it would be possible for us to provide the extension such that it could be installed regardless of the Safari Extension Gallery’s status. Since Safari 12 does not allow .safariextz extensions to be installed from anywhere except the gallery, and Safari 13 does not allow such extensions to be installed from any source, if we were to provide the extension files, they could not be installed. As such this will not be a feasible solution.

janfoeh:

It really, really is a shame that they removed proper extensions. While Safari never had a good extension story, it was at least bearable, and in all other regards its simply the best Mac browser.

Now I have to take a really hard look at switching back to Firefox, and that would be a downgrade in almost every regard I care about. Pity.

dantondwa:

Just opened it again out of curiosity and the first message I got is that the Bitwarden and Pocket extensions are not supported anymore. Oh, well, as much as I’d like to use it, a desktop browser without extensions is dead to me. There are some extensions that provide me with little quality of life improvements and whatnot. Since, when I’m using my computer, I’m almost always using a browser, these things become important.

I wonder why Apple decided to axe extensions and not support WebExtensions, that at this point have become a standard shared by Firefox and Chrome. Too bad.

glogla:

Apple removed the ability to use uBlock Origin or similar.

I tried few ad blocker from the app store, but non of them block Youtube’s video ad, making it useless.

We still have Firefox for now I guess.

Geoff Duncan:

I appreciate Apple adding privacy protections to Safari. However, since Safari 13 for macOS cannot run legacy extensions that worked—which cannot generally be replaced with the new, more-limited extension apps that don’t—Safari is now off my list of “usable browsers.”

Mark Hughes:

So I hit upgrade, and I regret everything.

Obviously, this is the release where they break Safari Extensions, they now have to be apps. uBlock Origin is dead. I’ve installed Ghostery Lite for the moment but I have no real solution for the future[…]

[…]

Yeah, obviously I could change to another browser. But I hate every other browser.

Jeff Johnson:

There are 2 separate questions that are getting conflated:

1) Why did Apple deprecate the JavaScript API “canLoad” in favor of content blockers?

2) Why did Apple deprecate safariextz in favor of Safari app extensions?

Apple did 1 and 2, but they could have done 1 without 2.

The problem with 2 is that it limits the pool of extension devs to experts in both JS and AppKit. Very small pool.

Web devs don’t want to learn AppKit. Not even iOS devs want to learn AppKit. And Catalyst apps don’t support Safari extensions!

Jeff Johnson:

Apple: iPad is a real computer.

People: Real computers have browser extensions.

Apple: [kills most Safari Mac extensions] You were saying?

Catalin Cimpanu (via Hacker News, Slashdot):

Over the course of the last year and a half, Apple has effectively neutered ad blockers in Safari, something that Google has been heavily criticized all this year.

But unlike Google, Apple never received any flak, and came out of the whole process with a reputation of caring about users’ privacy, rather than attempting to “neuter ad blockers.” The reasons may be Apple’s smaller userbase, the fact that changes rolled out across years instead of months, and the fact that Apple doesn’t rely on ads for its profits, meaning there was no ulterior motive behind its ecosystem changes.

[…]

The latest to fall is uBlock Origin for Safari, another ad blocker, which shut down for good two weeks ago. In a post on GitHub, the extension’s developer recommended that users who care about running an ad blocker either switch to using Firefox for Mac, where ad blockers still work just fine, or remain on an older Safari version, which is not really an option.

The other alternative was that users switch to using one of the new Content Blocker-based ad blockers; however, he described the new Content Blocker system as being “extremley limited in adblocking functions.”

[…]

On the other side, when Apple rolled out the new Content Blocker API, it enforced a maximum limit of 50,000 rules for each new extension that wanted to block content inside Safari.

bad_user:

Safari’s content blockers are super easy to circumvent by anti-ad-blocking tech.

That many publishers don’t do that already is a mystery, probably because visitors with ad-blocking are still a minority and publishers don’t want to piss them off.

Will Lesieutre:

When Apple says “We’re designing this API in a way that allows you to block ads without having full visibility to monitor everything that any user does every web page they visit” it’s totally believable because it’s in line with the last 10+ years of their product direction.

Yeah, it makes ad blockers less powerful. It also makes them less of an enormous security risk in that all of your web traffic is redirected through them, and a compromised extension could do whatever it wanted with that.

Kuba Suder:

I don’t like the dropped support for old Safari extensions, because I will need to spend some time to look for a replacement for @Ghostery (the Lite isn’t as good)…

Previously:

6 Comments RSS · Twitter

It’s time for all these people to adopt net filters like AdGuard for macOS or if they’re technically inclined, /etc/host files. Better yet use both.

Apple can’t “mitigate” what is a better security practice anyway.

A proxy filter (such as I use) isn't a substitute for an empowered endpoint blocker, it's a supplement. The "technically inclined" are the most adversely affected by this move.

For all the excuses of security, I know that I was much safer with the original Safari extensions. I used a lot of extensions from many sources, but since .safariextz's were just xars I unarchived each one and examined their code before installation. This sounds like more work than it was: it didn't take a lot of JS to do something useful, so it didn't take a lot of skimming to make sure they weren't doing anything they shouldn't. There was never a question of if the shipped code really matched its open-source repo. If an extension obfuscated its code, that was a red flag to delete it. If there was too much code to reasonably review, that was a big hurdle to installation that only one extension (uBlock Origin) overcame. I kept auto-updates off and rechecked new releases, which were rare. If an update broke, I rolled back to a previous release or patched it myself. If I needed anything else, I wrote my own personal-use extensions, for free, to customize individual websites and behaviors.

That's how one technical person used extensions responsibly. None of that is possible now: you have to trust that paywall-locked binary blobs from sketchy devs haven't slipped malicious behavior past Apple's review, something that happens regularly. Apple removed user power, freedom, and security and gave nothing in exchange.

@Leo: "It’s time for all these people to adopt net filters like AdGuard for macOS or if they’re technically inclined, /etc/host files. Better yet use both."

I don't think those solutions are nowhere near as capable as uBlock Origin and Ghostery are inside a browser, so that's not a replacement, just a complement.

I seem to be in a minority but I actually like Chrome best. Yes, I know, it's not the best browser for battery life and it's Google, but I still prefer it over Safari and Firefox (and I use all three simultaneously almost every day) for multiple reasons.

Using a computer involves making decisions about who to trust as far as software. When it comes to web security, I would rather trust a few developers of my choosing than be forced to trust an inadequate solution from Apple.

As for LAN-wide blocking, that’s certainly part of a good belt-and-suspenders approach, but unless one is willing to also set up a personal VPN, it won’t work outside the house.

the new safari extensions don't allow javascript/css to be inserted for reader-mode URLs, so extending the reader mode is impossible now.

Leave a Comment