Why do a lot of Safari extensions require so many permissions?

I don’t feel comfortable knowing that a lot of Safari extensions are capable of having access to “sensitive information from webpages, including passwords, phone numbers, and credit cards.”

I would just like to know why so many Safari extensions require access to so much personal data.

It’s not that Safari extensions in particular have any more or less access to data than any other browser. Apple just chooses to explain the same access in much more verbose and worrying language.

Nearly every extension has access to the contents of any webpage you visit. In theory, (and probably in practice for some) they could harvest key presses, the contents of password fields, etc. There’s nothing Apple can do to prevent this, or at least nothing that would gain traction given that the current state is sparse in comparison to other browsers.


Honestly, I don’t think it’s possible to warn strongly enough against the installation of browser extensions.


It’s not (in many cases) that they “require” access to the personal data - it’s that giving them access to your web pages allows them to use whatever data is on them, including things you consider personal. The extensions may not use that data, because they may not need to, but the possibility is there. If in any doubt, don’t install or enable the extension.

The same applies to other browsers, although the warnings they give may not be as stark


Does a privacy label like this one indicate that an extension is probably safe to use? You guys are making it sound like I should stop using extensions altogether. :sweat_smile:

The problem with the data ‘nutrition labels’ is that they’re self reported. So they’re only valuable if the developer cares. I can imagine a scammer not really caring if they were caught not reporting collecting all your data. They’re better than nothing but have this limitation. (Google promised to push an update to all their apps with an accurate label months ago and they’ve currently held off long enough for people to have trouble logging in)

Extensions, even more so than apps, is about trust and it would be best to avoid them if possible.

Do you trust the developer who’s made this extension? Or is it open source?

1 Like

Which extensions could be considered trustworthy?

In theory, none. But the reality is it’s really up to your comfort/trust. I do use quite a few extensions either because I trust the developer or because the code is open source.

These are the extensions I use (in safari):

  • Readup
  • Bear
  • 1Password
  • Cascadea
  • Honey
  • Raindrop.io
  • Pipifier
  • Reeder 5
  • Tab Spaces

But you shouldn’t use that as a metric for trust. Do a bit of research and make a value judgment :grin:

I don’t and won’t.

It’s not just a question of which extensions can be trusted in a point in time; that question of trust extends for as long as you use an extension. Both neglect and ownership changes have led to compromises. Given all that happens in browsers these days, the balance of risk vs benefit (for me) leans extremely far to the side of risk avoidance.

Brian Krebs has a good take on this: The Case for Limiting Your Browser Extensions — Krebs on Security


Okay, thank you for the help.