Login/Register
How to locally pass information from Safari Share Extension back to Web Page?
Asked Answered
androidiosmobile-safarishare-extension
G

1

14

Imagine Web Page on iOS/Android is able to share file (using Web Share API) with custom request content with Safari Share Extension.

I’m looking for a reliable way to get response (let's say an arbitrary JSON) back from Safari Share Extension to a Web Page.

Options I already tried and failed:

  • Pass response via WebRTC – seems still impossible for local communication, avoiding using internet server.
  • Pass port number from Web Page and make Safari Share Extension to open that port and provide response to anyone connecting. Browser is not able to use non-SSL connection, moreover self-signed certificate for localhost is not trustworthy on every device.
Gastroenteritis answered 23/1, 2023 at 18:28 Comment(2)
You need to use sendMessage API, if you're creating an extension developer.apple.com/documentation/safariservices/…Anthropo
@Anthropo it is suitable for Safari Web Extension, but I am asking about Safari Share Extension.Gastroenteritis
S
1

It is not clear what your design constraints are for a solution, so I cannot give a complete answer. I can suggest the following lines of investigation (which are too long for a question-comment so placed here):

  1. If you are looking at it from an attacker / security research perspective then what you could do is to try a custom URL scheme of a popular app, like TikTok, and see if that can be used to expose an application-specific vulnerability (data leak).

  2. If you are trying your second option of specifying a port but are hitting the signing restrictions, then why not buy a DNS host, and use LetsEncrypt to get a proper SSL certificate for it. Then Safari will connect.

  3. If you are trying to commence user engagement, write and deploy an iOS app that the user can install, and then trigger it via the Share Extension. Then you can get arbitrary JSON back from the handset.

  4. There is evidence that browser developers might be able to deploy non-default WebKit experiences on iOS in the future, so there may be a way to add custom functionality there if the mobile browser lockdown policy is loosened. There are regulatory pressures going this direction so it is worth watching out for.

Historical note on Mobile Safari

It used to be the case that Mobile Safari could yield file contents back to the recipient via the Web Share API. It was a security vulnerability since fixed, but a detailed account of this and the relevant techniques employed are in the book The Road To Zero (I am the author.)

Saadi answered 21/2, 2023 at 10:22 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.