Safari Runs Disabled Extensions
I reported this issue to Apple Product Security on November 17 2019. I received a reply from Apple Product Security on December 16 that said they do not see any actual security implications from my report. I replied, arguing that it was a privacy violation. A disabled extension can phone home without the consent of the user, indeed without the knowledge of the user, and expose information about the user: the user’s IP address, the user’s username (which is probably their real name), the fact that the user has installed the extension, the exact time that the user launches Safari, every time the user launches Safari, etc. I also suggested to Apple Product Security that executing native Mac code without any action by the user is a security problem, and furthermore that a maliciously crafted app extension could exploit any vulnerabilities in the SafariServices API that may exist, or exploit any sandbox escapes that may exist, despite being disabled in Safari, and again without any action at all by the user, except for installing the app. I received another reply from Apple Product Security on January 24 2020 reiterating that they do not see any actual security implications.
This does seem like something Apple should fix.
Update (2020-03-27): Jeff Johnson:
After installing Safari 13.1, I can no longer reproduce the issue with my sample Safari app extension, which I made available for download in my previous blog post. As far as I can tell, the issue is completely resolved.