The user can allow a Safari extension to access specific websites. However, these permissions don't apply to cross-origin iframes on the page. This is a major problem, because the user generally doesn't even know that a website is loading iframes, or the URLs of the iframes.
This bug occurs on both iOS and macOS. I tested with mobile and desktop Safari version 16.4.1. Attached is a sample Xcode project to demonstrate the bug. The extension manifest json declares "all_frames": true.
Expected results: There's a log message for both the top frame and the iframe.
Actual results: There's only a log message for the top frame.
The extension runs in the iframe only if the extension is given permission to access www.youtube-nocookie.com, or if it's given permission to access every website.
FrameBug.zip
The user can allow a Safari extension to access specific websites. However, these permissions don't apply to cross-origin iframes on the page. This is a major problem, because the user generally doesn't even know that a website is loading iframes, or the URLs of the iframes.
This bug occurs on both iOS and macOS. I tested with mobile and desktop Safari version 16.4.1. Attached is a sample Xcode project to demonstrate the bug. The extension manifest json declares
"all_frames": true.Steps to reproduce: 1) Unzip, open, build, and run the attached sample Xcode project "FrameBug" 2) Enable the extension in Safari 3) Open https://lapcatsoftware.com/articles/pip.html which contains an iframe with src https://www.youtube-nocookie.com/embed/ZrotkcWJFwo?controls=0&autoplay=1&start=33 4) Allow FrameBug to run on
lapcatsoftware.com5) Open the web inspector consoleExpected results: There's a log message for both the top frame and the iframe.
Actual results: There's only a log message for the top frame.
The extension runs in the iframe only if the extension is given permission to access
www.youtube-nocookie.com, or if it's given permission to access every website. FrameBug.zip