Safari 12: a good step forward, but mind the extensions

You have no choice in Mojave: Safari 12 is its bundled browser. But if you’re intending to stick with Sierra or High Sierra for the time being, is this upgrade a wise move, or an impending disaster?


Safari is now nudging you hard to improve your website password security, which is a very good thing, although it can turn out to be more complex.

When you first provide a password for a new website or service account, Safari 12 automatically suggests and completes a strong and unique password for it. It will also do the same when you are changing the password for an existing website or service. This is excellent, although not without its problems: you shouldn’t rely completely on your keychain as the only place to save important passwords. I still keep written copies, having come across a steady trickle of users who, for one reason or another, have had their entire keychain blown away and had to rebuild it from scratch. iCloud-based keychains are not a solution, indeed in many cases turn out to be the problem.

There are also times when services or sites decide that you need to re-enter your password, but your keychain isn’t immediately accessible. Funnily enough, the worst offender for repeatedly prompting for passwords seems to be iTunes.

To encourage you to strengthen existing passwords, Safari now identifies which it thinks are being reused on two or more websites. This is helpful too, but you must be very careful when tackling this list.


In this example, Safari thinks that I have provided a password for the website, which appears to be a misunderstanding, as that site doesn’t use usernames or passwords at all. So rather than rushing off and trying to alter that password, I needed to delete that entry instead. Neither is that password one which I use for Facebook, which appears to be another misunderstanding from the past.

If you use this feature, you will need to know which sites and passwords are current and correct – something for which my keychain clearly isn’t so reliable. Thankfully, I can check my written records.

Extensions and plugins


I’m not a heavy Safari Extension user: the only one which I use is the Better tracker blocker, whose functionality is now at least partially fulfilled by Safari 12. It has served me well over the last couple of years, so I’m pleased that it is, apparently, still acceptable.

You may not be so lucky with your Extensions and plugins. Safari 12 disables all Safari Extensions which impair the browser’s performance, and only supports those which Apple has reviewed. It also discontinues support for most NPAPI plugins. Together these could spell problems, but there’s no easy way to tell whether you will be affected.

If you do rely on Safari Extensions or NPAPI plugins, you might want to hold off updating Safari until you have confirmed that your extensions remain acceptable to Safari 12.

There is, though, a worrying anomaly in Safari 12’s handling of plugins. XProtect is the tool which determines the oldest version of vulnerable plugins such as Flash which are permitted to operate. With Apple’s six-month neglect of updating the XProtect database, macOS and Safari 12 currently tolerate six-month old versions of Flash and other vulnerable plugins.

If XProtect isn’t going to be updated regularly in the future, Apple needs to find another way of ensuring that users don’t use such old Internet Plug-Ins, or some will have those old versions exploited by malware.

Popups and ads

Safari 12 now gives you fine control over which sites are allowed to display pop-up windows. This is in the Websites section of Preferences: select the Pop-up Windows item at the left, and you can set which are allowed. Apple says that this version also reduces a site’s abilities to identify any Mac device uniquely, so should suppress the retargeting of adverts too.


As with all defences against tracking and other bad advertising practice, these could result in some websites refusing to display any content, or asking you to turn your ad blocker off. It remains to be seen how beneficial these features prove in the long run.

Security fixes

This new version of Safari also brings fixes for three vulnerabilities, listed as:

  • malicious websites were able to exfiltrate autofilled data from Safari;
  • clearing Safari’s history might not have cleared all visits involving redirection chains;
  • malicious websites could use interface spoofing to trick you through a link.

So long as you are not dependent on Safari Extensions which version 12 bans, this is an important and valuable upgrade. Be careful when you work through the list of password duplicates, and you will also need to keep any plugins like Flash up to date, as XProtect isn’t there to block them any more.