{"id":28321,"date":"2020-03-06T15:01:27","date_gmt":"2020-03-06T20:01:27","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=28321"},"modified":"2022-07-14T15:05:18","modified_gmt":"2022-07-14T19:05:18","slug":"the-decimation-of-safari-extensions","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2020\/03\/06\/the-decimation-of-safari-extensions\/","title":{"rendered":"The Decimation of Safari Extensions"},"content":{"rendered":"

Jeff Johnson<\/a>:<\/p>\n

\n

As a result of the change in format from safariextz<\/code> to app<\/code>, Safari extensions have been decimated. There are significantly fewer Safari extensions available. The developer program membership cost factor is obvious, so I won’t spend any more time discussing that. I believe that the biggest barrier now to creating Safari extensions is not money but developer expertise. To create an extension for Firefox, Chrome, or any browser based on Chromium — Microsoft Edge, Brave, Opera, Vivaldi — you just need to know JavaScript, CSS, and HTML. In other words, almost any web developer in the world can create an extension for almost any web browser in the world. All these worlds are yours… except Safari! Attempt no landing there. Safari is unique, unprecedented in its extension requirements. Safari extension developers still have to know web development, but they also have to know native Mac development.<\/p>\n

[…]<\/p>\n

If you’re wondering why your favorite old Safari extension hasn’t been ported to a new Safari app extension, the reason isn’t necessarily just lack of native Mac development expertise by the developer. Even though an app<\/code> extension still uses JavaScript and CSS like a safariextz<\/code>, the new API is not the same as the old API. Developers can’t simply take the old JavaScript and stick it inside a Mac app bundle, that’s not how it works. The new SafariServices API is simply not as powerful as the old Safari JavaScript API. There are things an extension could do in the past that it can no longer do.<\/p>\n<\/blockquote>\n\n

Brian Krebs<\/a> (Hacker News<\/a>):<\/p>\n

\n

The incident is a reminder that browser extensions — however useful or fun they may seem when you install them — typically have a great deal of power and can effectively read and\/or write all data in your browsing sessions. And as we’ll see, it’s not uncommon for extension makers to sell or lease their user base to shady advertising firms, or in some cases abandon them to outright cybercriminals.<\/p>\n<\/blockquote>\n\n

As far as I know, the new Safari extensions model doesn’t fix this problem. I don’t want to run any extensions that have access to both the full webpage contents and the ability to send my information to a server. The extension runs in its own process, and thus I get a Little Snitch alert if it tries to make a network connection. But the extension could also modify the page content to make network connections on its behalf, and then this would not be caught by Little Snitch. So it still seems like the only way to be sure an extension is safe is to read its JavaScript source.<\/p>\n\n

Previously:<\/p>\n