When you open Safari's Extensions Preferences, you may see some scary warnings, such as "Can read sensitive information from webpages, including passwords, phone numbers, and credit cards on: all webpages" and "Can see when you visit: all webpages".
These warnings scare many people away from Safari extensions entirely, and unfortunately Safari's help (the ? button) provides no helpful information or guidance to users:
The scary, unexplained warnings also cause App Store customers to leave negative reviews for Safari extensions, accusing the extension developers of "overreach". This situation is not good for anyone, either extension users or extension developers. Thus, my goal in this blog post is to try to clear up some of the confusion surrounding Safari extension permissions and security.
If you use "Show Package Contents" in Finder to show the contents of my own
StopTheMadness.app, you'll find the Safari app extension
StopTheMadness.appex inside the
script.js in the
To be clear, you do not have permission to publish or redistribute my source code. It's copyrighted, so that would be very illegal, and I will prosecute violations with extreme prejudice. Am I worried about someone stealing my source code? A little. However, as an indie developer I've discovered that marketing software is much more difficult than writing software. Even if you stole my code, good luck finding users to install it! I have a hard enough time with that myself. Anyway, I hope that other Safari extension developers aren't mad about my little reveal here, for every Safari extension is open source in the same sense as mine. My goal here is to encourage the purchase and use of Safari extensions by dispelling the FUD about extensions triggered by the Extensions Preferences warnings, so I intend this to help rather than harm developers. Besides, the secret is difficult to keep when any technically minded user is capable of poking around in your app bundle.
In general, my view is that you shouldn't install software on your Mac unless you trust the developer. You can't rely on the system to protect you from malicious software, because there are always vulnerabilities and ways to get around the system. There are sandbox escapes. There are privacy protection bypasses. I've discovered some myself and reported them to Apple Product Security. You can read about one that I've disclosed. Stay tuned for more. ;-) You can't rely on the App Store to protect you, because App Store review is a complete joke. It's important for users to know the risks of installing software, but it's also important not to ignore the rewards of installing software, not to let your life be ruled by fear. After all, installing software on your Mac is less risky than everyday activities such as driving a car or drinking alcohol (and much less risky than those activities combined!) Safari extensions can make your life a lot easier, as long as you're prudent about which ones you install. Don't rely on App Store review or App Store customer reviews, which can be ignorant and/or faked; instead, rely on recommendations from friends, rely on software reviews by respected media outlets. Rely on indie developers who treat you like the customer instead of treating you like the product to sell to advertisers. In recent years Apple has been adding more and more scary warnings to macOS, like Windows Vista, but keep in mind that the warnings are for capabilities that Mac apps always had since the beginning of Mac OS X, and indie developers did not abuse the power they had, even when there were no warnings.