Friday, March 6, 2020 [Tweets] [Favorites]

The Decimation of Safari Extensions

Jeff Johnson:

As a result of the change in format from safariextz to app, Safari extensions have been decimated. There are significantly fewer Safari extensions available. The developer program membership cost factor is obvious, so I won’t spend any more time discussing that. I believe that the biggest barrier now to creating Safari extensions is not money but developer expertise. To create an extension for Firefox, Chrome, or any browser based on Chromium — Microsoft Edge, Brave, Opera, Vivaldi — you just need to know JavaScript, CSS, and HTML. In other words, almost any web developer in the world can create an extension for almost any web browser in the world. All these worlds are yours… except Safari! Attempt no landing there. Safari is unique, unprecedented in its extension requirements. Safari extension developers still have to know web development, but they also have to know native Mac development.

[…]

If you’re wondering why your favorite old Safari extension hasn’t been ported to a new Safari app extension, the reason isn’t necessarily just lack of native Mac development expertise by the developer. Even though an app extension still uses JavaScript and CSS like a safariextz, the new API is not the same as the old API. Developers can’t simply take the old JavaScript and stick it inside a Mac app bundle, that’s not how it works. The new SafariServices API is simply not as powerful as the old Safari JavaScript API. There are things an extension could do in the past that it can no longer do.

Brian Krebs (Hacker News):

The incident is a reminder that browser extensions — however useful or fun they may seem when you install them — typically have a great deal of power and can effectively read and/or write all data in your browsing sessions. And as we’ll see, it’s not uncommon for extension makers to sell or lease their user base to shady advertising firms, or in some cases abandon them to outright cybercriminals.

As far as I know, the new Safari extensions model doesn’t fix this problem. I don’t want to run any extensions that have access to both the full webpage contents and the ability to send my information to a server. The extension runs in its own process, and thus I get a Little Snitch alert if it tries to make a network connection. But the extension could also modify the page content to make network connections on its behalf, and then this would not be caught by Little Snitch. So it still seems like the only way to be sure an extension is safe is to read its JavaScript source.

Previously:

9 Comments

Ricky Morse

Out of curiosity, because I don't see one on the App Store, are there any extensions available that provide an RSS button?

Thanks,
Ricky

And it is worst it now has to go through App Store. Apple simply refuse to have the extension where it automatically convert Simplified Chinese to Traditional Chinese.

Update: Turns out the issue has since been solved.

I have been using Safari since it was in beta on 10.2 and I finally/just recently have sworn it off entirely.

The first stab wound was pairing down the browser plugin API and killing off uBlock origin. I switched to using a hosts file, which is probably better anyway.

But I'm not sure what's going on these days. Safari seems to have a quirk where it won't just won't load pages without quitting and reopening. It seems to happen especially when exploring tweet threads and opening tweets in a new tab/window. Quit/relaunch the app then loads those urls just fine. Meanwhile Firefox never has an issue and has gotten much better on MacOS in the last two years or so (and praise for that because I can't bring myself to use Chrome).

I suppose maintaining a browser is incredibly hard work, but Safari today seems to have lost it's mojo as a desktop application... in similar fashion to what happened to iWork, iLife, Mail and Messages.

NetNewsWire likely provides such a button to add a feed to NetNewsWire.

@Ben Yes, I’ve been having to quit Safari to get it to work, too. It also beachballs every time it fills in a password. And forgets that I’m logged into sites that I visit every day. It used to be such a fantastic app.

@Ben, @Michael:

I agree with both of you regarding Safari issues and performance. On macOS I’ve happily/reluctantly using Firefox for quite some time now; happily in that its performance and functionality has been surprisingly good, reluctantly in that it still feels out of place in the Apple ecosystem. Where the experience falls flat on its face for me is on iOS devices. Although Firefox is available in the App Store, being stuck with a WebKit backend and thus not having decent ad blocking available makes the experience subpar. On the flip side of this are sites like Reddit which make Safari on iOS completely circle the bowl (thankfully I can just use Apollo instead).

And while there are advantages to the content blockers for Safari in terms of not being able to read website data, I’m not convinced they work as well as uBlock Origin for Firefox on macOS — especially now that sites are deploying dirty hacks to bypass content blockers, as opposed to uBlock which can analyze the data to watch for this kind of behaviour. This was seen in the most recent update for uBlock Origin where it needs permission for IP access to help block sites that were trying to do this, and unfortunately caused some hysteria in the community until it was clarified further. To that end I’ve been trying out Lockdown on iOS in tandem with Firefox to see if I can get better ad blocking while having the ability to sync browsing and bookmarks with the Mac version, and while it’s decent it’s still not a panacea.

Truth be told I’ve been giving serious thought to ditching all my Apple gear and returning to Linux on the desktop, for many reasons, but this certainly is on the list. And with more and more apps switching to subscriptions every time you look away for five seconds, I feel it’s only a matter of time before apps like 1blocker (which I currently use) or even the currently free-for-non-VPN Lockdown switch to the subscription model. At that point my only option, on iOS at least, is Brave? Already tried it and not a fan; even though it contains ad blocking by default, it’s performance is lacklustre.

Sören Nils Kuklau

I’ve had situations where visiting certain sites (but far from all!) causes it to just get stuck trying to load anything. This will then only happen to one instance of Safari, i.e. either Safari proper, or Safari TP. Thus, I surmised it’s something about my Library folder, and indeed, renaming ~/Library/Safari (or ~/Library/Safari TP, whichever is broken) temporarily would fix it. Then it would reappear after a few days. I’ve tried to file bugs on it but they close it as unreproduceable. Cool cool.

There’s also a long-standing strange behavior between Safari and Azure DevOps (a CI service). It’ll ask for HTTP authentication, then start loading the site, then randomly start asking for it over and over again — but only sometimes. I think what’s happening is that it’s treating any failed HTTP request including AJAX/fetch requests (a timeout, a 404, whatever) as failed authentication, and assumes it needs to prompt me for the password again (which is just dumb, as the password was clearly correct worked for the dozen requests a second ago!). I’m also guessing this has something to do with NTLM or Kerberos. But I also kind of don’t care, and just sadly use Firefox or Edge (Chromium) instead, both of which handle this just fine. Again, I’ve filed it as a bug; no, they haven’t considered it actionable.

Also ran into what is presumably a font size calculation bug today. Which unfortunately breaks being able to click links on that website, as they keep shifting around. Also filed; this one I’m reasonably optimistic they’ll eventually fix.

Overall, I really don’t like this feeling that stuff is just more likely to be broken on Safari than on other browsers.

I’ve also had the problem where pages just won’t load, especially around Twitter. It’s been a long standing bug, but seems to ebb and flow depending on version. I may switch to Firefox too.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment