Privacy concerns

[darsnack]

I see that Tab Space requires access to the contents of all webpages (including forms and passwords). In contrast, a SessionRestore only requires access to what pages I have visited (see below). I have privacy concerns about using an app that I cannot see the source code for requiring more permissions than it logically should.

I know this project started out to fill a personal need, but if you want other users to pay for it, then it might be time to port some of the code over to require less overarching permissions. I much prefer the UI of Tab Space to SessionRestore, and I would like to use it (and I would pay more for it), but not until the privacy concerns are addressed.

[yuanzhoucq]

Hi @darsnack In fact, the privacy configuration bothers me as well. I configured it according to Apple's dev docs https://developer.apple.com/documentation/safariservices/safari_app_extensions/safari_app_extension_info_property_list_keys/adjusting_website_access_permissions:

Use the Level subkey to restrict your extension’s website access. Available values are as follows: None—Your app extension can't access any webpage by injecting scripts or style sheets, and most page properties are undefined. All—Your app extension has access to all webpages and domains. Some—Your app extension can access webpages from a list of domains.

It seems that I can only configure the accessed websites, but I can not specify the type of data to be accessed. Could you please show me a screenshot of SessionRestore's privacy description? Thanks!

[gingerbeardman]

Here we go.

Their worry seems to be the ability for the extension can access Web Page Contents.

[darsnack]

Thanks @gingerbeardman

If there is a developer view that allows me to see what API keys are being set, I can check there too.

Glad to know this is a current concern!

[gingerbeardman]

As I understand it (I may be wrong) Tab Space needs access to web pages because it's settings/admin user interface is created as a web page.

In contrast, SessionRestore creates its interface in a different way, using the native app and Safari popover, which does not require the same level of permissions.

[darsnack]

That makes sense. Is it possible to render the admin/settings page by referencing a particular file on the disk? Then there would be a URL in the nav bar that could be whitelisted (not sure if Apple's security settings allow whitelisting files instead of domain names, but just a thought).

Otherwise, a native interface might be a good long term feature. Or Apple could improve the granularity of their security options.

[yuanzhoucq]

@gingerbeardman Thanks Matt! I think I have figured it out.

I guess that SessionRestore did not use any injected JavaScript code right? So it will by no means be able to access the webpage content.

And once an extension uses injected script, it will automatically gain access to web pages via DOM. So this privacy description has emerged. And all extensions using injected scripts will end up with the same description.

Fortunately we can now prove that we do not touch your privacy:

1. Apple's documentation could prove that we will not be able to get web contents from Safari extension's API cause it only provides very limited information.
2. Only injected script could access your web contents but you can inspect these scripts directly using Safari's developer tool as follows:

Thanks for your questioning and I hope these will answer your question @darsnack 😄

And thanks again for @gingerbeardman 😄

[darsnack]

Great! Thanks @yuanzhoucq that's good enough for me. I'll let you decide if you want to close or leave this issue open.

[yuanzhoucq]

That makes sense. Is it possible to render the admin/settings page by referencing a particular file on the disk? Then there would be a URL in the nav bar that could be whitelisted (not sure if Apple's security settings allow whitelisting files instead of domain names, but just a thought).

Otherwise, a native interface might be a good long term feature. Or Apple could improve the granularity of their security options.

A native user interface is indeed attractive in some aspects but could also be inconvenient. Users must switch between two apps while surfing the Internet.

But I am writing an iOS app for Tab Space using the cross-platform SwiftUI. Intrinsically it will be easy to reuse the codes back to the macOS app. So it is very likely that I will add a native interface on macOS later.

I am glad that you accepted these explanations and thank you for posting it here. I will be able to share this page with others with the same question!

[darsnack]

Okay I will close it for now then. Thanks for your explanation and the app!