Monday, June 24, 2024

Always Allow Safari Bookmarklets

Jeff Johnson:

You may already be aware that for a number of years, Safari has asked your permission every time you click on a link, such as an RSS feed, that opens in an app other than Safari[…]

[…]

The permission prompt now has an option to “Always Allow”! This option is new in Safari 17.

This is an improvement, but even with Always Allow it only remembers per-domain. So I’m still prompted a lot when using MarsEdit and EagleFiler bookmarklets. And it messes up my muscle memory because I had been in the habit of always pressing Enter after invoking a bookmarklet to Allow it—Can you see from the slightly bold text in this iOS-style alert that Allow is the default button?—but with Always Allow it’s unpredictable. I have to either pause to see whether I need to press Enter or I end up with an extra blank line in my blog post draft.

You might wonder where this new preference is stored on disk. As far as I can tell, there’s no corresponding user interface in Safari Settings, certainly not in the Websites pane. What if you want to undo your selection? What if you select Always Allow by accident?

[…]

The good news is that with a little reverse engineering, I found a way to undo the preference. It’s stored on disk in the file ~/Library/Safari/PerSitePreferences.db, which is an SQLite database.

Jeff Johnson (Mastodon):

To run bookmarklets in Safari on macOS, you need to enable “Show features for web developers” in Safari Advanced Settings and “Allow JavaScript from Smart Search field” in Safari Developer Settings.

I think this is only necessary for testing them. I have this unchecked, and my previously created bookmarklets still work.

The permission is per-website, which means that every time you use the EagleFiler bookmarklet on a different website, Safari requests your permission again!

But he has a workaround:

This JavaScript first calls window.open(), which creates a new about:blank tab. It then creates an HTML anchor element—in other words, a hyperlink—adds the link to the about:blank document, and clicks the link automatically.

[…]

This time the value of the domain is empty (''), because about:blank has no domain. The about:blank trick allows you to use the same bookmarklet on every website without any additional permission prompts!

This kind of exposes the permission prompt as security theater, but if it’s not protecting us anyway we may as well get rid of the annoyance.

Previously:

1 Comment RSS · Twitter · Mastodon


"This time the value of the domain is empty (''), because about:blank has no domain"

I'm going to assume this is a bug and will be fixed.

Leave a Comment