SponsorBlock icon indicating copy to clipboard operation
SponsorBlock copied to clipboard
verified publisher icon ajayyy

Safari 18.4+ SponsorBlock asks for permission causing Invidious support to be removed

Open TheFritz89 opened this issue 9 months ago • 24 comments

On almost every website i visit, SponsorBlock asks for permission.

Image

Is it possible to add something like this in the settings:

Image

TheFritz89 avatar Mar 25 '25 06:03 TheFritz89

This is a very odd change that Safari made. It is not supposed to treat the optional permissions like this

ajayyy avatar Mar 25 '25 07:03 ajayyy

I think this is a bug that needs to be reported to apple before this version is rolled out to stable versions

I tried switching to manifest v3 and using the new fields for optional host permissions and the same issue is still happening

ajayyy avatar Mar 26 '25 04:03 ajayyy

I sent a report https://bugs.webkit.org/show_bug.cgi?id=290508

It looks like it only happens on version 18.4 beta

ajayyy avatar Mar 26 '25 04:03 ajayyy

So what I've determined is the bug seems to be occurring whenever a page tries to send a post request in the background (usually for analytics), and then for some reason Safari tries to get you to give permission to SponsorBlock to access it, even though SponsorBlock does not ask for it.

I don't think there's anything I can do to fix this on the extension end. I tried running browser.permissions.remove and it still keeps happening.

ajayyy avatar Mar 27 '25 04:03 ajayyy

Many thanks for your help. Hopefully Apple will do something about this bug.

TheFritz89 avatar Mar 27 '25 05:03 TheFritz89

Can you not enable the ability to set defaults for “other websites”? Most other safari extensions allow you to set it to deny websites that are not explicitly assigned a rule.

Image

NathanielH-snek avatar Mar 30 '25 14:03 NathanielH-snek

@NathanielH-snek That toggle only appears if the extension always asks for access to all sites. It will show even more popups in this case.

ajayyy avatar Mar 30 '25 19:03 ajayyy

Getting a SponsorBlock permisssion request for ogads-pa.clients6.google.com on macOS 15.4 release, Safari 18.4. Looks like this bug made it to release?

Edit: DeArrow asks it as well

stevenya97 avatar Mar 31 '25 21:03 stevenya97

I published an update (5.11.10) that removes the optional permissions. This means that Invidious support now is removed on Safari. Hopefully Apple fixes the bug soon and Invidious support can be added back

ajayyy avatar Mar 31 '25 22:03 ajayyy

I published an update (5.11.10) that removes the optional permissions. This means that Invidious support now is removed on Safari. Hopefully Apple fixes the bug soon and Invidious support can be added back

I'm still getting permission requests with 5.11.10 :(

Capedbitmap avatar Apr 02 '25 12:04 Capedbitmap

Having the same issue since updating to MacOS 15.4 Safari 18.4. Running version 5.11.10 of SponsorBlock.

h3man1 avatar Apr 02 '25 17:04 h3man1

Looks like I forgot to commit the actual change the removes the permission in SponsorBlock, it was only in DeArrow, sorry about that!

I am publishing 5.11.11 now

ajayyy avatar Apr 02 '25 19:04 ajayyy

It is still 5.11.10 in App Store. How long does it usually take until release?

duramson avatar Apr 07 '25 12:04 duramson

Looks like the macOS version was published but I forgot to hit "submit for review".... Fixed

ajayyy avatar Apr 07 '25 16:04 ajayyy

Can anyone confirm, that they were asked for access to domains that are not related to advertising? I find it odd that Safari only asked me for access to amazon.de (which I use for shopping) and no other websites. Other people in this thread also only mentioned ad-related domains (criteo.com and ogads-pa.clients6.google.com). I also was not able to reproduce the supposed issue that it's "occurring whenever a page tries to send a post request in the background" (I used 5.11.10) - but maybe I'm missing something.

After what the PayPal Honey browser extension did (switching out affiliate codes without the user knowing before checkouts), this raised some eyebrows for me. But to be fair, it might just look suspicious.

Anyone got this for a domain that's certainly not ad- or shopping-related? (Besides statsigapi.net, featuregates.org and youtube-nocookie.com which the extension seems to use and probably are legitimate. Same for sponsor.ajay.app which hosts the server)

EDIT: Actually, now I'm wondering if statsigapi.net/featuregates.org is even from SponsorBlock or if that already is another example of some website using this in the background triggering the same webkit bug. It's just weird that I don't get the permission request when I visit https://dictionary.cambridge.org/dictionary/english/test (which is mentioned as example in the bug ticket)

tophexbit avatar Apr 08 '25 09:04 tophexbit

Can anyone confirm, that they were asked for access to domains that are not related to advertising? I find it odd that Safari only asked me for access to amazon.de (which I use for shopping) and no other websites. Other people in this thread also only mentioned ad-related domains (criteo.com and ogads-pa.clients6.google.com). I also was not able to reproduce the supposed issue that it's "occurring whenever a page tries to send a post request in the background" (I used 5.11.10) - but maybe I'm missing something.

After what the PayPal Honey browser extension did (switching out affiliate codes without the user knowing before checkouts), this raised some eyebrows for me. But to be fair, it might just look suspicious.

Anyone got this for a domain that's certainly not ad- or shopping-related? (Besides statsigapi.net, featuregates.org and youtube-nocookie.com which the extension seems to use and probably are legitimate. Same for sponsor.ajay.app which hosts the server)

EDIT: Actually, now I'm wondering if statsigapi.net/featuregates.org is even from SponsorBlock or if that already is another example of some website using this in the background triggering the same webkit bug. It's just weird that I don't get the permission request when I visit https://dictionary.cambridge.org/dictionary/english/test (which is mentioned as example in the bug ticket)

I got it for twitter, openai, and anthropic analytics domains yesterday. It doesn't seem to be shopping related

Capedbitmap avatar Apr 08 '25 13:04 Capedbitmap

@daniel-stockhausen My understanding is it is any requests done in the javascript (which are usually going to be analytics domain)

There is no conspiracy, it is a Safari bug which I have reported. You can see my analysis here: https://bugs.webkit.org/show_bug.cgi?id=290508

ajayyy avatar Apr 08 '25 16:04 ajayyy

Also 5.11.11 should finally be up now on the app store

ajayyy avatar Apr 08 '25 17:04 ajayyy

Safari 18.5 was just published, do you reckon it fixes the issue? The release notes don't mention it but I'm hopeful.

fregante avatar May 13 '25 05:05 fregante

@fregante I haven't received any updates on my bugzilla report. I have not tested it on the newer version of Safari

ajayyy avatar May 13 '25 06:05 ajayyy

@ajayyy am I correct Invidious is not working with Safari on macOS and/or iOS at the moment? The only domains with Allow set are sponsorblock.ajay.app, youtube.com en youtube-nocookie.com - which explains why SponsorBlock won't load at any of the invidious adresses. Or is there a way around this with Safari?

mdbraber avatar Sep 09 '25 11:09 mdbraber

@mdbraber unless Safari fixes this bug, it is not possible to support Invidious on Safari

ajayyy avatar Sep 09 '25 19:09 ajayyy

I have verified that the Safari bug still exists on Safari version 18.6

I have a feeling Apple just doesn't care

ajayyy avatar Sep 10 '25 04:09 ajayyy

I would appreciate people commenting on the bug report (https://bugs.webkit.org/show_bug.cgi?id=290508) or sending Apple emails on their support emails letting them know about this bug (you can reference the bug report I made)

ajayyy avatar Sep 10 '25 04:09 ajayyy