Created attachment 475748 [details] Sample Safari extension Steps to reproduce: 1. Download and unzip the attached sample Safari extension in Resources.zip 2. Enable the extension in Safari 3. In Terminal, cd Downloads/Resources 4. /usr/bin/python3 -m http.server 5. Open http://localhost:8000 in Safari See the attached screenshots showing the permission requests. This happens in the main frame and also in iframes, and even if the extension has no website permissions already. If you first grant the extension permission to access localhost:8000, there are still permission requests for example.org and example.com. I've seen this bug occur on iOS as well as macOS, though I haven't able to reproduce it until now. The bug also occurs in Safari web apps.