Hi! What is basic difference between Safari extension which has NSExtensionPointIdentifier set to com.apple.Safari.extension and Safari web extension with NSExtensionPointIdentifier value set to com.apple.Safari.web-extension. I'm asking because to me it seems that permissions for those two work differently. When I set same set of permissions to manifest.json of extension I have different behaviour. Case 1: For com.apple.Safari.extension when user turns on the extension in Safari preferences, there is a popup with question: Are you sure you want to turn on the extension "extension_name"?. User can either cancel it and not turn on extension, or user can click Turn on and allow all extension requested permissions on all pages. Case 2: For com.apple.Safari.web-extension when user turns on the extension in Safari preferences, there is no popup, but there are 2 buttons, Edit websites where user can enable/disable extension separately for each and every website and there is Always allow on Every Website which basically does the same as Turn On in first example. But if user does not accept some webpage, when user gets to that page first time and tries to click on extension icon, there will be popup with warning about permissions and with several options for user to allow or disable extension. To create extension I used safari-web-extension-converter tool which automatically creates Safari web extension, but problem is our users do not like permission behaviour that happens in Case 2. Is there a way to have Safari web extensions (com.apple.Safari.web-extension) which has behaviour described in Case 1.

When our Safari Web Extension makes a api request from its background script (registered via "scripts" in manifest.json, e.g., "background": { "scripts": ["js/background.bundle.js"] }) to our authenticated API endpoint (https://api-domain/user), the Cookie header is not included in the request. This occurs only when the extension is running within a non-default Safari User Profile. This causes our API to treat the user as unauthenticated. The exact same extension code, manifest, and API call work correctly (Cookie header is present and user is authenticated) when the extension is running in the Default Safari User Profile.