Tirea

There is an awesome extension for Safari called PiPer that adds a button for PiP mode to websites like YouTube, Netflix, Amazon Prime and many more. It can be downloaded from the Safari Extension Gallery right here: https://safari-extensions.apple.com/details/?id=com.amarcus.safari.piper-BQ6Q24MF9X 
The source code is also available on github for anyone who's interested! 

commentzilla said:

That plugin seems to have a lot of unnecessary permissions... why does it need access to all of my personal information to include Credit Cards and Passwords?

Zero chance that's going to stay on my computer. Apple should remove it.

Almost every safari extension seems to have way to much privileges! PiPer is the only extension I use that does not show "Can read sensitive information (...) on: all websites" and instead just lists the few websites it works with. Even things like DuckDuckGo's "Privacy Essentials", Parallels "Open in for IE" and most ad blockers have the exact same warning. It's a generic warning (from Apple) for every extension that uses injected code/scripts. 

commentzilla said:

That's utter non-sense. It's certainly not a generic warning.

I have two ad-blockers that do not have permission to read webpages or anything else. Download and install a bunch of different plugins and you'll see all different kinds of permissions. Some do have access to everything, like TrafficLight (Bit Defender) a web security plugin.

Different plugins have different permissions based on how the plugin in configured by the developer. Why would PIPer need access to Credit Cards, Passwords and browsing history to provide a shortcut for a picture-in-picture mode? If an ad-blocker doesn't need it, why in the hell would a simple shortcut need it when all of the functionality is already built into macOS? I've also never seen a plugin with such a specific list of websites, it's certainly not a generic list. That list seems to have been programmed into the plugin which is probably where Apple got it.

I suggest reconfiguring the plugin so it does not access unnecessary personal data.

Also, just because something is on GITHUB does not automatically make it safe.

Every safari extension that injects code gets this generic warning. 

No not every safari extension that's out there, just the ones that inject custom code into the browser/webpage. There are a ton of extensions that don't access any sensitive information but get this warning because they use some form of code/script injection to work, which means they technically could inject a script that steals your private data. This includes trusted extension like the ones from DuckDuckGo or Parallels Desktop (like I mentioned) or the one from BitDefender you mentioned, even extensions from apps that are available in the Mac App Store and have to follow the MAS guidelines tend to get this warning.  A ton of developers of very awesome and trustworthy safari extensions constantly get complaints because when users read that warning they immediately think that the extensions uses their private data even though they do not.

While the list is indeed very specific, it's the websites that PiPer works with which means Safari will warn you about them because PiPer injects its code into those websites to give you that convenient PiP button. Most extensions are designed to work for every website so the warning will read "all websites" instead. 

bloggerblog said:

commentzilla said:

Tirea said:

There is an awesome extension for Safari called PiPer that adds a button for PiP mode to websites like YouTube, Netflix, Amazon Prime and many more. It can be downloaded from the Safari Extension Gallery right here: https://safari-extensions.apple.com/details/?id=com.amarcus.safari.piper-BQ6Q24MF9X 
The source code is also available on github for anyone who's interested! 

That plugin seems to have a lot of unnecessary permissions... why does it need access to all of my personal information to include Credit Cards and Passwords?

Zero chance that's going to stay on my computer. Apple should remove it.

If the source code is available on Github, as @Tirea mentioned, can someone remove all those invasive permissions?

They don't have access to your passwords or other sensitive information, it's a generic warning that was introduced by Apple in Safari 10, if I remember correctly. It just shows up for every extension that injects code or scripts, like PiPer does to show you the PiP button. It's a bit like Gatekeeper: if an app isn't signed by Apple or a trusted developer, macOS will try to prevent your from running the app and warn you that it's not an a trusted app. That doesn't mean the app is harmful or any type of malware, Apple just wants you to know that there may be a potential risk. Sadly in the case of safari extensions they made it seem like every extension is constantly spying on you and stealing your passwords. 
Here's a link to the source code
https://github.com/amarcu5/PiPer