Safari 10 brings fast, native App Extensions to the macOS browser, web content

Posted:
in macOS
Building on work completed last year to enable Web Content Blockers, Apple's new Safari 10 enables a wide range of native code App Extensions that users can automatically obtain and update through the Mac App Store, contributing to faster performance, enhanced security and better reliability.


Safari 10 for macOS


A big update from the original Safari 5.0 Extensions



Back in 2010, Apple introduced a Safari Extensions Gallery for Safari 5.0, enabling developers to build extension plugins for Safari using web standards such as CSS and JavaScript.


Safari 5.0 Extensions Gallery


Safari 5.0 Extensions provided a way for third parties to add buttons to the Safari toolbar, make a new extension bar, change the way web content appeared or add controls to web pages. The architecture also supported digital signing so that developers could verify where a particular extension originated and prove that it hadn't been tampered with.

Apple helped third parties distribute their Safari Extensions in a Gallery which acted like a web-specific App Store for both perusing new extensions and obtaining updates. Building these extensions in web standards enabled them to work across platform; at the time Safari was being developed for both OS X and Windows.

However, a couple years later, Apple abandoned Windows support in 2012's Safari 6, effectively delegating the task of maintaining a WebKit browser to Google's Chrome and similar projects. That opened the door to the idea of building Safari Extensions using native Objective-C or Swift code for performance reasons.

In 2014, Apple introduced App Extensions, a new architecture for building app components that could be distributed with an app, and designed specifically to add insert new functionality into core OS features on both iOS and macOS.

Creating an App Extension requires Apple's support for creating an Extension Point in the OS that developers can build upon. The initial Extension Points Apple introduced in 2014 included system-wide Share Extensions (adding new social network sharing options), Photo Editing Extensions (extending the features of the Photos app), Today Extensions (supporting widgets) and Custom Keyboards specific to iOS.

The following year, Apple introduced Content Blockers as a new class of App Extensions specially targeting Safari, supporting the ability to prevent the downloading of any defined content, including display ads, images, navigation elements, popups, scripts, fonts, style sheets, media files, cookies, or essentially anything on a web page.

With Safari 10, any Extension can be a native App Extension



On both macOS Sierra 10.12 and today's El Capitan 10.11.5 (when Safari 10 is installed), Safari will support App Extensions built from a combination of JavaScript, CSS and native code written in Objective-C or Swift.Safari will support App Extensions built from a combination of JavaScript, CSS and native code written in Objective-C or Swift

Like previous App Extensions, the new architecture defines a broad Extension Point for Safari that allows third party developers to add new functionality to Safari, both to read and modify web page content (such as translating text into another language) and to communicate back and forth with a native app to integrate app data into Safari or to get web data into an app.

Developers can extend the Safari user interface by adding a toolbar button to execute a command or display a popover window, add a contextual menu item, inject a style sheet that alters how web pages are presented (such as modifying fonts used or text sizes), or inject JavaScript that changes how a page behaves or enables it to communicate with the app extension.

Unlike previous Safari Extensions, the new App Extensions can communicate securely with a developer's app using shared resources, as depicted in Apple's developer documentation (portrayed below).




More importantly, the new App Extensions architecture enables developers to distribute Safari Extensions as part of their app through the App Store. That means users won't have to go looking for a plugin from an independent "Gallery" on the web. For developers, moving their existing Safari Extensions to native App Extensions is designed to be easy to do in Xcode

The "Safari Extensions..." menu in macOS Sierra now launches the Mac App Store, which will present apps that include an App Extension for use in Safari. For developers, moving their existing Safari Extensions to native App Extensions is designed to be easy to do in Xcode.

This change also means that user App Extensions can be updated in parallel with the developer's app, preventing compatibility problems related to different component versions between an extension and an app. Because they can now be written in native code, Safari App Extensions can perform faster and use less memory than before.

Beyond App Extensions, Safari 10 will also support Apple Pay transactions on the web (below), iPad Split View of two websites at once, Picture in Picture display of embedded HTML5 videos on Macs (like iPad introduced last year), and automatic use of HTML5 videos from sites that would otherwise attempt to use Adobe Flash or Microsoft Silverlight.


Apple Pay on the web with Safari 10


Other new iOS 10 & macOS Sierra App Extensions



Overall, Apple's App Extension architecture provides a secure way for developers to extend OS-level features, while also expanding the usefulness of developers' work across the system.

There are a wide variety of other new App Extensions being introduced in iOS 10 and macOS Sierra, enabling third parties to similarly add new features to a variety of extension points including Siri, Messages, Maps, Notifications and Call Directory. AppleInsider will examine how these new extension points can enable developers to add new features to Apple's platforms.

Comments

  • Reply 1 of 20
    petiegpetieg Posts: 21member
    I hope it's not the case, but this sounds like a malware/virus avenue waiting to be exploited.  
  • Reply 2 of 20
    Well, I hope the click-to-flash style plug in killers that get HTML5 instead of Flash from MTV and other networks gets ported over! 
  • Reply 3 of 20
    DanielEranDanielEran Posts: 290editor
    petieg said:
    I hope it's not the case, but this sounds like a malware/virus avenue waiting to be exploited.  
    Because App Extensions are distributed as part of an app in the App Store, they are signed and subject to screening by Apple. There is some chance that something malicious could sneak in, but this would be easy to manage and connect back to the developer. Old Safari Extensions were also signed, but not distributed thru the App Store. 

    In practice, this is the most secure and least risky way to distribute software  
    fotoformatlostkiwiirelandTurboPGTai46propodthepixeldoc
  • Reply 4 of 20
    DanielEranDanielEran Posts: 290editor

    Well, I hope the click-to-flash style plug in killers that get HTML5 instead of Flash from MTV and other networks gets ported over! 
    That functionality is now baked into Safari 10 by default. To web servers, it looks like Safari 10 users do not even have Flash installed. 
    tallest skilirelandai46thepixeldoc
  • Reply 5 of 20
    cornchipcornchip Posts: 1,167member
    This sounds great, especially the plugins for apps like Maps. What I want is an extension called "road trip" wherein, in addition to the three travel options we get now, I would be able to select my own route which may not be the fastest, but sometimes you just want or need to go a different way. Someone build it and I will pay you $4.99-$1.64.
  • Reply 6 of 20
    So is Safari 10 available for download?  The article keeps switching from present tense to future tense and back again, so it's unclear.  It says it's for Sierra and ElCapitan, but doesn't actually say if this is a beta or something available NOW.
    ireland
  • Reply 7 of 20
    ...I am hoping for a solution to the relentless email request pop ups that seem to evade the pop up blockers, even on one site that I actually did sign up for... Do advertisers bring the pop up blockers on themselves with relentless aggression & unbridled assault of the meek & innocent...? Has the web become a digital pickpocket nirvana...?
    lostkiwi
  • Reply 8 of 20
    Is the Safari Extension gallery pretty sparse?  I remember it having a lot more extensions before, but a year or two ago, Apple required something new and a lot of extensions still worked but were no longer found in the gallery.


  • Reply 9 of 20
    pdbreskepdbreske Posts: 39member
    "... and automatic use of HTML5 videos from sites that would otherwise attempt to use Adobe Flash or Microsoft Silverlight."

    Does this include HBO and Netflix which use Flash and Silverlight, respectively? I think it's silly that I can watch both of these networks on my iPhone, which does not support either of these technologies, but my Mac can't play videos from either source unless I install some slow, bloated, third-party software.
    edited June 2016
  • Reply 10 of 20
    tallest skiltallest skil Posts: 43,399member
    mindwaves said:
    Is the Safari Extension gallery pretty sparse?  I remember it having a lot more extensions before, but a year or two ago, Apple required something new and a lot of extensions still worked but were no longer found in the gallery.
    Hasn’t been updated in three years, but I think many of these still work. There’s quite a variety not found in the official Apple market.

    http://safariextensions.tumblr.com
    irelandcrowleyimNirodha
  • Reply 11 of 20
    irelandireland Posts: 17,521member

    Well, I hope the click-to-flash style plug in killers that get HTML5 instead of Flash from MTV and other networks gets ported over! 
    That functionality is now baked into Safari 10 by default. To web servers, it looks like Safari 10 users do not even have Flash installed. 
    Even goes one step further to lesson the likelihood the website will say "please install Adobe flash". If there's a HTML5 version available Safari instructs the server to show it.
    edited June 2016
  • Reply 12 of 20
    MarvinMarvin Posts: 14,195moderator
    petieg said:
    I hope it's not the case, but this sounds like a malware/virus avenue waiting to be exploited.  
    These extensions differ from extensions like Flash or Silverlight, which have direct access to the web content and execute 3rd party code. These extensions have the same setup as app extensions from earlier versions of Safari:

    http://appleinsider.com/articles/15/06/15/inside-app-extensions-webkit-content-blockers-extend-user-privacy-in-ios-9-safari-9

    There's a sandbox between native code and the browser, this new development is just a different way to distribute and develop them.

    There's two components for this to work: injected content into the browser and native code. These can't run each other's code directly so it doesn't give the browser native access to the system, the browser can only communicate with the native code via messages and it's the developer sending the messages, not the website.

    You inject Javascript/HTML/CSS into a web page at runtime with the Safari extension and this can send messages to the app extension, which the OS activates when a message is passed to it.

    Most app developers will never write a native app extension to link to Safari because the most useful Safari extensions do DOM manipulation, which you'd never do in native code as DOM parsing is not really feasible and it would mean having to shuffle the entire page content back and forward through messaging and the filesystem, which slows things down.

    The reason they have introduced this is because the previous way meant distributing two components separately: the app on the Mac App Store and the Safari Extension on the extension site, which are updated separately and can get out of sync. If you have a Safari extension as part of an app then it makes sense to just distribute it with the app and that keeps both updated together.

    1password has two parts for example:

    https://discussions.agilebits.com/discussion/40413/1password-safari-extension-not-working

    Now they'd just bundle the extension with the app.

    In order to get any malware, it has to be a malicious app that is available in the App Store, which Apple would check for. Apple could miss an app that bundles an extension that injects Javascript to monitor login entries, sites visited and passes that back to a native extension to send to their own servers (a keylogger), there's one for Chrome:

    https://github.com/Xeroday/ChromeLogger

    This can happen with any extension so you have to be careful of any extension you install, especially from unofficial sites and you can disable the whole extension system.
    pdbreske said:
    "... and automatic use of HTML5 videos from sites that would otherwise attempt to use Adobe Flash or Microsoft Silverlight."

    Does this include HBO and Netflix which use Flash and Silverlight, respectively? I think it's silly that I can watch both of these networks on my iPhone, which does not support either of these technologies, but my Mac can't play videos from either source unless I install some slow, bloated, third-party software.
    Uninstalling the Flash plugin on older browsers should let the site know you don't have it installed. If the site still doesn't work, the develop menu (activated in Safari preferences > advanced) in Safari lets you switch the user agent to the iPad (Develop menu > User Agent > iPad). The following page for example won't play in Safari by default but removing Flash and switching the agent to iPad will play the video in HTML5:

    http://www.hbo.com/silicon-valley/about/video/season-3-trailer.html?autoplay=true

    If you set the user agent to iPhone, it makes the timeline disappear and other browsers don't work. It would be nice if Safari let you set user agent by default per site. There seems to be a way to do it via Javascript:

    http://stackoverflow.com/questions/1307013/mocking-a-useragent-in-javascript

    Maybe if that was injected using an extension before the page loaded it would work but you'd need a developer id to sign it and have the extension stay active.
    ...I am hoping for a solution to the relentless email request pop ups that seem to evade the pop up blockers, even on one site that I actually did sign up for... Do advertisers bring the pop up blockers on themselves with relentless aggression & unbridled assault of the meek & innocent...? Has the web become a digital pickpocket nirvana...?
    Those are part of the page content. Popup blockers just cover new windows/tabs. The email popups are hard to block as they are custom to each site displaying them. Bloggers make money from viewers so they are always looking to get as many recurring views and the panels get the results they want:

    https://blog.bufferapp.com/get-more-email-subscribers-how-we-doubled-email-signups

    They could be blocked somewhat by catching/disabling Javascript events shortly after page load or scroll events. They are very irritating, I usually just close the site as soon as one pops up.
    edited June 2016 propod
  • Reply 13 of 20
    coolfactorcoolfactor Posts: 1,366member
    I still don't understand why Apple Pay integration is a Safari-only feature. Surely they could've built it using secure JavaScript that works with any modern browser?
  • Reply 14 of 20
    JinTechJinTech Posts: 323member
    I still don't understand why Apple Pay integration is a Safari-only feature. Surely they could've built it using secure JavaScript that works with any modern browser?
    Do you really think Apple wants you to use their payments engine in a different browser other than an Apple one?
    ai46tallest skilrazorpit
  • Reply 15 of 20
    How the heck do I find Safari 10?  App store doesn't list it, and apple's website doesn't mention it.  I'm running the latest version of El Cap.
    edited June 2016
  • Reply 16 of 20
    tallest skiltallest skil Posts: 43,399member
    How the heck do I find Safari 10?  App store doesn't list it, and apple's website doesn't mention it.  I'm running the latest version of El Cap.
    Paid developers only.
    teaearlegreyhot
  • Reply 17 of 20
    How the heck do I find Safari 10?  App store doesn't list it, and apple's website doesn't mention it.  I'm running the latest version of El Cap.
    Paid developers only.
    Thanks, tallest skil.  AppleInsider should have said so in the story, instead of using the headline and leading paragraph that deceives the reader into thinking this is an actual product available now, rather than just something in development.  Pffft.
    tallest skilthepixeldoc
  • Reply 18 of 20
    uraharaurahara Posts: 192member
    Paid developers only.
    Thanks, tallest skil.  AppleInsider should have said so in the story, instead of using the headline and leading paragraph that deceives the reader into thinking this is an actual product available now, rather than just something in development.  Pffft.
    Safari 10 is an actual product. I have it. Do you have macOS Sierra installed? Get it. Easy.  Pffffffffft. 
  • Reply 19 of 20
    tallest skiltallest skil Posts: 43,399member
    Terrible day; ClickToFlash is being discontinued, and as of today (somehow, magically…) it has stopped working in Safari 10, despite no updates being pushed or anything changed.

    So thanks, Google, for your shitty system. I may stop using YouTube entirely now that I can’t see it in a QuickTime window (with a right-click to download option).
Sign In or Register to comment.