Safari Reference Library Apple Developer
Search

Access and Permissions

Extensions can have two parts—an application part, consisting af any global page or extension bars, and a content part, consisting of any injected scripts or stylesheets. The two parts have different access and permissions.

In addition, there are settings you can specify when building your extension that select the websites your extension can interact with.

Note: For security reasons, there are some things that no part of your extension can access. This includes files on the user‚Äôs hard disk outside of the extension package, as well as functions and variables defined in scripts loaded from the webpage‚Äôs domain.

The Global HTML Page and Extension Bars

The global HTML page and extension bars have access to the SafariApplication and SafariExtension classes. They can work with windows and tabs, extension settings, and add or remove extension items. They can also respond to commands from the Safari toolbar or the contextual menu that appears over a webpage.

The global HTML page and extension bars do not have access to the content of webpages, and they can communicate with injected scripts only by sending messages—they cannot access an injected script’s functions or variables directly.

The global page and extension bars do not have permission to use the JavaScript window.open() method. They must use the Safari Extensions API. See “The Windows and Tabs API.”

Injected Scripts and Stylesheets

Injected scripts have access to the SafariContentExtension class. They have the same permission to access and modify the webpages they are injected into as scripts originating in the webpage’s own domain. They have permission to use the standard JavaScript API, as well as Safari-specific and Webkit-specific JavaScript APIs.

Injected scripts cannot access the SafariApplication or SafariExtension classes. They cannot respond to command events generated by the Safari toolbar or contextual menus, nor can they access functions or variables defined in the global HTML page or extension bars. They can, however, send messages to the global HTML page and extension bars, and the message data can be an object (such as an array, for example) declared in the injected script.

Injected scripts and stylesheets cannot access resources within the extension folder, such as images or other files, using relative URLs. Any relative URL in an injected script or stylesheet is interpreted as relative to the webpage. To access resources within the extension folder from an injected script or stylesheet, you must use an absolute URL. For details, see “Accessing Resources Within Your Extension Folder.”

Extension Website Access

You choose the webpages and domains your extension has access to in Extension Builder. Only the websites you choose have web content injected into them, and only those websites can be manipulated using the tab object’s properties, such as title and url.

Use the Extension Website Access field in Extension Builder to restrict your extension’s access to external websites. Your choices are as follows:

Important: If you set your access to Some, and do not specify any domain patterns, your extension has no website access.

If you choose Some or All, you can further choose to allow your extension access to secure sites (HTTPS URLs) or not, as shown in Figure 12-1.

Figure 12-1  Access to secure pages

Whitelists and Blacklists

The whitelist and blacklist work in conjunction with the Extension Website Access field. First, access is limited by the Extension Website Access settings, then the whitelist and blacklist are applied.

Again, note that these restrictions are in addition to those set in the Extension Website Access field. If you specify Some access, for example, you have access only to the domains matching your provided domain patterns. Items in your whitelist and blacklist create additional restrictions within those domains. Be sure all the items in your whitelist are within a domain you have access to.

Add URLs to the whitelist or blacklist by clicking New URL Pattern as illustrated in Figure 12-2.

Figure 12-2  Whitelist and Blacklist

A URL pattern takes the form Scheme://Domain/Path.

A URL pattern can include the * character to match any string. This allows you to specify all pages in a particular domain, for example, without having to create an exhaustive list.

The * character can be used anywhere in the domain or path, but not the scheme.

Examples: 

Important: The format for URL patterns in a whitelist or blacklist is not the same as the format for domain patterns in Extension Website Access.




Last updated: 2010-08-03

Did this document help you? Yes It's good, but... Not helpful...