this post was submitted on 07 Jan 2025
15 points (94.1% liked)

Arctic

444 readers
1 users here now

Arctic is a Lemmy client for iOS built on pure Swift. It currently supports iOS 15+ and Lemmy v0.17+

Get the latest version on TestFlight, or check it out on the AppStore.

If you would like to support Arctic’s development, feel free to Buy Me A Coffee

founded 2 years ago
MODERATORS
CreatureSurvive
15
Browser Extension: Sensitive Information Permissions (lemmy.world)
submitted 3 weeks ago by avieshek to c/arctic
4 comments fedilink hide all child comments
 

This is a little concerning.

top 4 comments
sorted by: hot top controversial new old
[–] CreatureSurvive 6 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

I definitely appreciate your concern. This warning does seem excessive, considering the extension’s limited functionality, which only allows opening URLs in Arctic. This is Apple being thorough and transparent about the capabilities of Safari extensions.

Safari extensions are written in JavaScript, which is injected into the webpage. Injecting code into a website theoretically enables the theft of information entered on that website.

Open In Arctic performs several tasks:

  1. It monitors URL changes.
  2. It checks if the URL matches a regular expression for a Lemmy post, comment, user, or community.
  3. It verifies that the server responds to Lemmy API endpoints.
  4. It opens the URL in Arctic or displays a banner on the webpage with an “Open” button.

Unfortunately, I cannot hard-code the sites on which the extension operates due to Lemmy’s defederated nature. Therefore, it is up to the user to restrict which pages the extension can access. Regrettably, this means that the warning will be displayed frequently unless the user allows the extension access to all sites.

As an alternative, you can disable the Safari extension and use the “Open In Arctic” action from the share menu. The Safari extension is solely for convenience.

[–] avieshek 1 points 3 weeks ago (1 children)

I have experienced that AdGuard allows to separate the access levels especially if you’re only looking for URLs but some note about it might at least provide a peace of mind.

[–] CreatureSurvive 4 points 3 weeks ago (1 children)

I noticed that as well. Unfortunately the extension needs its current permissions to open the URL in Arctic. I could monitor the URL without code injection, but there is no way to open the url without code injection. I wish apple would allow showing native views or alerts without needing to inject code as that would be perfect for this situation.

There is not exactly a good place to add a description explaining the access permissions. If I add it in the extension popup, it would only show after allowing it to run. Alternatively, I can add a more detailed description in the settings page, but the user will have to manually go to the settings page to see the description. It would be nice if I could add info to the alert like with photos access, but that is not possible with extensions.

Alas, I’ll add some information about this somewhere.

[–] avieshek 1 points 3 weeks ago

Ok