Safari Web Extension App Review checklist
A Safari Web Extension can see and change website context. Review readiness depends on limiting permissions, explaining data use, and proving the native app and extension agree.
Request the narrowest website permissions and script access that the feature needs. Apple Safari Web Extension documentation supports extensions that customize and enhance web browsing in Safari. AppReviewReady interpretation: build a permission-by-site ledger before submission so broad host permissions do not look like unexplained browsing surveillance.
Define which sites the extension truly needs
List every host permission and why the extension needs it. A password tool, coupon tool, accessibility helper, research capture tool, and content blocker all have different website access needs.
If the extension requests all websites, document why narrower domains or optional permissions cannot satisfy the feature. Broad access must be supported by visible user value and privacy disclosures.
Audit content scripts and injected UI
- Injected controls should be recognizable as part of the extension.
- Scripts should not read forms, messages, credentials, or page content beyond the feature's need.
- Website breakage should fail gracefully without trapping the user.
- The native app should explain how to enable, disable, and configure the extension.
- Analytics should avoid collecting raw page content or private URLs unless necessary and disclosed.
Keep the native app useful and honest
The containing app should not be an empty shell. It should explain what the extension does, how to enable it, what data it uses, and where settings live. If login is required, the app should make extension state clear.
AppReviewReady interpretation: test the extension disabled, enabled, signed out, signed in, and permission-revoked. Users should not need to guess whether Safari or the native app owns a problem.
Run website and permission tests
- Install the app and enable the extension from Safari settings.
- Visit allowed, disallowed, logged-in, logged-out, private-browsing, and unsupported pages.
- Revoke website permission and verify the extension explains the limitation.
- Test content security policy, iframe, redirect, and single-page-app behavior where relevant.
- Compare App Store privacy labels with extension data collection.
Prepare Safari extension review evidence
Use test websites or public pages that do not require the reviewer to enter private credentials. The review path should show the extension's value without exposing someone else's web account.
After launch, audit host permissions when marketing asks for support on a new website. Adding a broad match pattern is a product and privacy decision, not a small configuration change.
If the extension blocks, rewrites, or hides web content, provide a simple undo or disable route. Users and reviewers need to recover when a site breaks because of the extension.
Keep a public support page for site compatibility issues so users can report broken domains without sending private browsing content.
Safari extension review: Primary purpose: [purpose] Host permissions: [domains] How to enable: [steps] Test website: [URL] Data read from page: [fields] Native app settings: [path] Permission-revoked behavior: [message]
Primary references checked for this guide
Policy statements above are grounded in the linked Apple documentation. Operational recommendations are AppReviewReady's interpretation and should be tested against your app and the current guideline text.
Check extension privacy
Review Safari permissions, content scripts, native app settings, and privacy labels.
Open the tool