In a project to create a web extension for Safari, using scripting.registerContentScript() API to inject a bunch of scripts into web pages, I needed to manage a dynamic whitelist (i.e., web pages where the scripts should not be injected).
Fortunately, scripting.registerContentScripts() gives you the option of defining a list of web pages to be considered as a whitelist, using the excludeMatches parameter in the directive, to represent an array of pages where the script should not be injected.
Here just a sample of what I mean:
const matches = ['*://*/*'];
const excludeMatches = ['*://*.example.com/*'];
const directive = {
id: 'injected-jstest',
js: ['injectedscript.js'],
matches: matches,
excludeMatches: excludeMatches,
persistAcrossSessions: false,
runAt: 'document_start'
};
await browser.scripting.registerContentScripts([directive])
.catch(reason => { console.log("[SW] >>> inject script error:",reason); });
Of course, the whitelist (the excludeMatches array) is not static, but varies over time according to the needs of the moment.
Everything works perfectly in Chromium browsers (Chrome, Edge, ...) and Firefox, but fails miserably in Safari. In fact, Safari seems to completely ignore the excludeMatches parameter and injects the script even where it should not.
Has anyone had the same problem and solved it somehow?
NOTE : To test the correctness and capabilities of the API in each browser, I created a simple repository on Github with the extension code for Chromium, Firefox and Safari (XCode project).
Extensions
RSS for tagGive users access to your app's functionality and content throughout iOS and macOS using extensions.
Posts under Extensions tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
A DNR rule with lower priority is being applied before a DNR rule of higher priority on Safari. Specifically, a low-priority DNR block rule that matches a request is being applied before a high-priority DNR redirect rule that matches the same request, preventing the redirect from occurring. The only way to get the high-priority redirect rule to occur is to remove the DNR block rule. This does not occur on other browsers.
I have already submitted a Feedback Assistant report about this bug: FB16535579
How to reproduce:
Create/install a web extension on Safari with the declarativeNetRequest and declarativeNetRequestWithHostAccess permissions
Open the Web Extension Background Content console and add a redirect rule with a high priority number. For example:
await chrome.declarativeNetRequest.updateDynamicRules({addRules: [
{id: 5000, condition: {urlFilter: "||www.google-analytics.com*/ga.js", resourceTypes: ["script"], domainType: "thirdParty"}, priority: 80, action: {type: "redirect", redirect: {url: “http://www.apple.com/”}}}
]})
Add a block rule of lower priority for the same urlFilter:
await chrome.declarativeNetRequest.updateDynamicRules({addRules: [
{id: 5001, condition: {urlFilter: "||www.google-analytics.com^", domainType: "thirdParty"}, priority: 1, action: {type: "block"}}
]})
Visit https://efforg.github.io/privacybadger-test-fixtures/html/ga_surrogate.html
Check the network tab and see that neither a request to Google Analytics nor apple.com appear. This means that the request to Google Analytics was blocked instead of being / before being redirected
Remove the block rule:
await chrome.declarativeNetRequest.updateDynamicRules({removeRuleIds: [5001]})
Reload https://efforg.github.io/privacybadger-test-fixtures/html/ga_surrogate.html.
Check the network tab and confirm that there is a request to apple.com, showing that the redirect rule is only applied if the lower-priority block rule is removed. The priority of the DNR rules should handle this without having to remove a DNR rule.
I have confirmed that the incorrect application of DNR rule priority happens on other top level domains, with other urlFilters, and with other redirect URLs. I confirmed that this is happening while I’ve granted my extension permissions on all websites.
How can NEPacketTunnelProvider launch the companion application, or notify user to launch the application?
I have built an iOS VPN that uses credentials stored in the keychain, and it works as expected. Now I'm trying to add OAuth login support.
Everything works fine at first. I login from the companion application, store tokens in the keychain, then launch the VPN from either System Settings or the companion application.
However, when the OAuth refresh tokens expire, or the OAuth IdP otherwise requires login, I can't perform the OAuth login from the NEPacketTunnelProvider. Login must happen from the companion application, which likely isn't running. I need the NEPacketTunnelProvider to either launch the companion application directly or to notify the user to do so.
Searching and reading docs yields:
You can't perform OAuth login from within the NEPacketTunnelProvider because it requires user interaction
There is no way to guarantee that the companion application is running on iOS (otherwise one would use NEVPNStatusDidChange)
You can't launch the companion application from NEPacketTunnelProvider using a custom URL because of security concerns
You might be able to launch the companion application from a system extension...
Some sources say you still can't guarantee that the system extension is loaded whenever the NEPacketTunnelProvider needs it anyway.
Of course, any of these conclusions could be wrong.
At this point I'm not sure where to begin. Is there another approach that could be initiated by the NEPacketTunnelProvider (push notifications, system notifications, smoke signals)?
Any help would be appreciated.
Thanks,
Bill Welch
Hello! What is the TTL for evaluation key(s) used in Live Caller ID feature on iOS client side? We would like to align our server-side key storage TTL with the iOS client implementation to optimize memory usage.
Would really appreciate your help on this.
Issue Summary:
In our Flutter application, we utilize Tencent's TRTC API for voice and video communication. While the broadcast functionality operates correctly on Android, it fails to respond on iOS devices. Attempting to initiate a broadcast results in no action, and long-pressing the broadcast button does not reveal the broadcast extension.
Steps to Reproduce:
Add Broadcast Upload Extension:
In Xcode, navigate to File > New > Target.
Select Broadcast Upload Extension and add it to the project.
2. Build the Project:
Attempt to build the project.
Encounter the error: "Cycle inside Runner; building could produce unreliable results."
3. Resolve Build Cycle Error:
Go to the project’s Build Phases.
Locate the Embed App Extensions phase.
Move Embed App Extensions just below Copy Bundle Resources.
Ensure the Copy only when installing option is selected.
Rebuild the project; the cycle error is resolved.
4.Test Broadcast Functionality:
Install the app on an iOS device.
Tap the broadcast button; observe no response.
Long-press the broadcast button in the top right hand scroll down menu; the broadcast extension is not listed.
5. Isolate the Issue:
Create a new Flutter project.
Repeat the above steps to add the broadcast upload extension.
The issue persists: broadcast functionality remains unresponsive on iOS.
We are testing our safari web extension (https://apps.apple.com/us/app/whatfix-for-jnj-centris/id6723895659) on an iPad 7th Gen (iPadOS v - 17.4.1)
I am sharing a video link where you can see the widget (named Self Help) appears on the application. However after a couple of refreshes, it vanishes. This widget is powered by the extension.
We tried connecting the iPad to Mac and opened the webinspector. The extension content script sends a message to the service worker and it is expected to send back a response which it is not doing
We believe it is related to an issue that has been highlighted multiple times in the developer forum -
https://developer.apple.com/forums/thread/758346
We have tried using several workaorunds as suggested by peer developers in the thread but we are unable to revive the service worker once it is killed.
We would like to understand from you, how to recover from this issue. Is there any workaround that we can apply to make sure that extension works fine?
It would be immensely helpful if we can get on a call to explain the issue further
Video Link: https://www.icloud.com/iclouddrive/0a7NR7BzDQHHU8zCHERuySBMw#RPReplay%5FFinal1740034010
❌ Could not find email_ai.py in the app bundle. Available files: []
The error above is what I’m encountering.
I’ve placed the referenced file both in the project directory and inside the app. However, every time I remove and reinsert the file into the folder within the app, it prompts me to designate the targets—I select all, but this doesn’t resolve the issue.
I’m unsure how to properly reference the file so that it is recognised and included in the bundle. Any guidance would be greatly appreciated.
this is my build phase:
#!/bin/sh
set -x # Prints each command before running it (for debugging)
pwd # Shows the current working directory
echo "$SRCROOT" # Shows what Xcode thinks is the project root
ls -l "$SRCROOT/EmailAssistant/EmailAssistant/PythonScripts" # Lists files in the script folder
export PYTHONPATH="/Users/caesar/.pyenv/versions/3.11.6/bin"
/Users/caesar/.pyenv/versions/3.11.6/bin/python3 "$SRCROOT/EmailAssistant/EmailAssistant/PythonScripts/email_ai.py"
echo "Script completed."
hi, I'm having an issue with Safari devlop menu "Web Extension Background Content" menu item being grayed out. I cant do any debugging right now and its becoming mission critical for us. Any help is appreciated.
Thank you,
We are building a Safari web extension utilising native messaging, to send messages to the Swift native part of the app. We sometimes experience, that the beginRequest handler is executed multiple times, at the same time.
We have a special part of the code in the handler, that must be run only once. Because it uses NS defaults storage, and also because it calls our servers. We have tried to use a serial dispatch queue, as well as other locking and mutex techniques, to no success.
We suspect that the instances of the handler are isolated in a way, that these locks don’t work (maybe they don’t share memory?). But we are not sure. When looking at os_logs from the handlers, they all share the same PID.
Has anyone experienced anything similar and can shed some light on what's going on?
We have a Web Extension that uses firebase for auth. It was working fine until the latest version of Safari 18.3 got released few days ago on January 27, 2025.
All of out extension versions stopped working on it; even the ones that are published on App Store. It uses FirebaseJS v9.23.0.
Same version of the extension are working fine on other browsers. We use onAuthStateChanged to listen to auth related events; but it is never fired now.
I am currently developing a custom-protocol VPN application for iOS using PacketTunnelProvider. I have also integrated an HTTP proxy service, which is launched via a dylib.
The overall flow is as follows:
App -> VPN TUN -> Local HTTP Proxy -> External Network
I have a question:
I am capturing all traffic, and normally, requests sent out by the HTTP proxy are also captured again by the VPN. However, when I send requests using createUdpSession in my code, they are not being captured by the virtual interface (TUN).
What could be the reason for this?
override func startTunnel(options: [String : NSObject]?, completionHandler: @escaping (Error?) -> Void) {
let tunnelNetworkSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "192.168.18.0")
tunnelNetworkSettings.mtu=1400
let ipv4Settings = NEIPv4Settings(addresses: ["192.169.10.10"], subnetMasks: ["255.255.255.0"])
ipv4Settings.includedRoutes=[NEIPv4Route.default()]
ipv4Settings.excludedRoutes = [NEIPv4Route(destinationAddress: "10.0.0.0", subnetMask: "255.0.0.0"),
NEIPv4Route(destinationAddress: "172.16.0.0", subnetMask: "255.240.0.0"),
NEIPv4Route(destinationAddress: "192.168.0.0", subnetMask: "255.255.0.0"),
NEIPv4Route(destinationAddress:"127.0.0.0", subnetMask: "255.0.0.0"),
]
tunnelNetworkSettings.ipv4Settings = ipv4Settings
// Configure proxy settings
let proxySettings = NEProxySettings()
proxySettings.httpEnabled = true
proxySettings.httpServer = NEProxyServer(address: "127.0.0.1", port: 7890)
proxySettings.httpsEnabled = true
proxySettings.httpsServer = NEProxyServer(address: "127.0.0.1", port: 7890)
proxySettings.excludeSimpleHostnames = true
proxySettings.exceptionList=["localhost","127.0.0.1"]
tunnelNetworkSettings.proxySettings = proxySettings
setTunnelNetworkSettings(tunnelNetworkSettings) { [weak self] error in
if error != nil {
completionHandler(error)
return
}
completionHandler(nil)
let stack = TUNInterface(packetFlow: self!.packetFlow)
RawScoketFactory.TunnelProvider=self
stack.register(stack: UDPDirectStack())
stack.register(stack: TCPDirectStack())
stack.start()
}
}
NWUdpSession.swift
//
// NWUDPSocket.swift
// supervpn
//
// Created by TobbyQuinn on 2025/2/3.
//
import Foundation
import NetworkExtension
import CocoaLumberjack
public protocol NWUDPSocketDelegate: AnyObject{
func didReceive(data:Data,from:NWUDPSocket)
func didCancel(socket:NWUDPSocket)
}
public class NWUDPSocket:NSObject{
private let session:NWUDPSession
private let timeout:Int
private var pendingWriteData: [Data] = []
private var writing = false
private let queue:DispatchQueue=QueueFactory.getQueue()
public weak var delegate:NWUDPSocketDelegate?
public init?(host:String,port:UInt16,timeout:Int=Opt.UDPSocketActiveTimeout){
guard let udpSession = RawScoketFactory.TunnelProvider?.createUDPSession(to: NWHostEndpoint(hostname: host, port: "\(port)"), from: nil) else{
return nil
}
session = udpSession
self.timeout=timeout
super.init()
session.addObserver(self, forKeyPath: #keyPath(NWUDPSession.state),options: [.new], context: nil)
session.setReadHandler({ dataArray, error in
self.queueCall{
guard error == nil, let dataArray = dataArray else {
print("Error when reading from remote server or connection reset")
return
}
for data in dataArray{
self.delegate?.didReceive(data: data, from: self)
}
}
}, maxDatagrams: 32)
}
/**
Send data to remote.
- parameter data: The data to send.
*/
public func write(data: Data) {
pendingWriteData.append(data)
checkWrite()
}
public func disconnect() {
session.cancel()
}
public override func observeValue(forKeyPath keyPath: String?, of object: Any?, change: [NSKeyValueChangeKey : Any]?, context: UnsafeMutableRawPointer?) {
guard keyPath == "state" else {
return
}
switch session.state {
case .cancelled:
queueCall {
self.delegate?.didCancel(socket: self)
}
case .ready:
checkWrite()
default:
break
}
}
private func checkWrite() {
guard session.state == .ready else {
return
}
guard !writing else {
return
}
guard pendingWriteData.count > 0 else {
return
}
writing = true
session.writeMultipleDatagrams(self.pendingWriteData) {_ in
self.queueCall {
self.writing = false
self.checkWrite()
}
}
self.pendingWriteData.removeAll(keepingCapacity: true)
}
private func queueCall(block:@escaping ()->Void){
queue.async {
block()
}
}
deinit{
session.removeObserver(self, forKeyPath: #keyPath(NWUDPSession.state))
}
}
Hello
My app has implementation of In App Provisioning which is working fine. We have now added Wallet Extensions to it, but my App is not shown in Apple Wallet "From apps on your iphone"
I have uploaded Feedback (FB16450547) at
https://feedbackassistant.apple.com/feedback/16450547
Kindly request for your advice
I built and extension for chrome, edge, and firefox. I'm porting the chrome extension to safari using the safari-web-extension-converter tool. This has worked successfully and I was able to publish my extension to the app store.
I made some updates to the service worker code recently and I'm now being hit with an error when trying to load my unsigned extension into safari:
The service_worker script failed to load due to an error.
I've looked online at some other forums and haven't found anything helpful around how to debug this kind of error. Because the service worker is non-persistent in safari, I don't have access to the console logs of the service worker through the Develop > Web Extension Background Context menu.
Has anyone successfully debugged this kind of error? Are there logs I can pull directly from safari that would help me here? Thanks in advance for the help!
Hi Apple Developers,
I am currently working on a message filtering application and facing issues specifically with filtering RCS (Rich Communication Services) messages. To debug this, I created a sample app that consistently categorizes all incoming messages as "junk." However, the filtering behaviour is inconsistent and not functioning as expected.
Here are the key issues observed during testing on iOS versions 18.2.1 and 18.3:
Inconsistent Filtering Behavior:
When a message is received from an unknown number, it sometimes gets moved to the Junk folder momentarily but is then immediately moved back to the main Messages inbox.
In some cases, the message does not get moved to the Junk folder at all, despite the app returning the verdict as "junk."
Duplicate Contact Tiles:
The Messages app displays two separate conversation tiles for the same mobile number, which is unexpected behavior.
For reference, my carrier partner is T-Mobile. Please let me know if you need any additional information to investigate this issue further.
Looking forward to your insights and guidance.
Best regards,
Rijul Singhal
Hi Apple Developers,
I am currently working on a message filtering application and facing issues specifically with filtering RCS (Rich Communication Services) messages. To debug this, I created a sample app that consistently categorizes all incoming messages as "junk." However, the filtering behaviour is inconsistent and not functioning as expected.
Here are the key issues observed during testing on iOS versions 18.2.1 and 18.3:
Inconsistent Filtering Behavior:
When a message is received from an unknown number, it sometimes gets moved to the Junk folder momentarily but is then immediately moved back to the main Messages inbox.
In some cases, the message does not get moved to the Junk folder at all, despite the app returning the verdict as "junk."
Duplicate Contact Tiles:
The Messages app displays two separate conversation tiles for the same mobile number, which is unexpected behavior.
I have attached both a sample app and a screen recording that clearly demonstrates the issue. The recording shows that the app categorizes messages as junk, yet they still end up in the main Messages inbox.
For reference, my carrier partner is T-Mobile. Please let me know if you need any additional information to investigate this issue further.
Looking forward to your insights and guidance.
Best regards,
Rijul Singhal
Hello,
I've developed a macOS app with an AutoFill Credential Provider extension that functions as a passkey provider. In the registration flow, I want my app to appear as a passkey provider only when specific conditions are met.
Is there a way to inspect the request from the web before the passkey provider selection list is displayed to the user, determine whether my app can handle it, and then use that result to instruct the OS on whether to include my app in the passkey provider selection list?
Alternatively, is there a way to predefine conditions that must be met before my app is offered as a passkey provider in the selection list?
Thanks!
I'm trying to update an app of mine to have a more modern look, and the last part of it is the Action Extension in Safari.
My info.plist file has the correct NSExtension details to use a storyboard, but storyboards look so old and I'd like to use a nicer SwiftUI-based look. Is this even possible?
This is the relevant bit from the Info.plist:
<dict>
<key>NSExtensionAttributes</key>
<dict>
<key>NSExtensionActivationRule</key>
<dict>
<key>NSExtensionActivationSupportsWebPageWithMaxCount</key>
<integer>1</integer>
</dict>
<key>NSExtensionJavaScriptPreprocessingFile</key>
<string>GetURL</string>
</dict>
<key>NSExtensionPointIdentifier</key>
<string>com.apple.ui-services</string>
<key>NSExtensionActionWantsFullScreenPresentation</key>
<false/>
<key>NSExtensionMainStoryboard</key>
<string>MainInterface</string>
</dict>
I see I can use NSExtensionPrincipalClass instead of NSExtensionMainStoryboard but then I get stuck.
If I remove this:
<key>NSExtensionMainStoryboard</key>
<string>MainInterface</string>
and replace it with this:
<key>NSExtensionPrincipalClass</key>
<string>$(PRODUCT_MODULE_NAME).ActionViewController</string>
I get this error when I run the extension:
Rejecting view controller creation request due to invalid extension storyboard or principal class: Error Domain=NSCocoaErrorDomain Code=967223 "(null)" UserInfo={Invalid Configuration=Either NSExtensionMainStoryboard or NSExtensionPrincipalClass must be specified in the extension's Info.plist file but not both.}
According to that error the two keys are mutually-exclusive, which is fine as I'm using just one of them, so why do I get this error?
Is it something to do with the actual code in ActionViewController?
I have this, and nothing here ever runs:
class ActionViewController: UIViewController {
var theUrl: String = ""
@objc override func viewDidLoad() {
super.viewDidLoad()
if let inputItem = extensionContext!.inputItems.first as? NSExtensionItem {
if let itemProvider = inputItem.attachments?.first {
itemProvider.loadItem(forTypeIdentifier: UTType.propertyList.identifier as String) { [unowned self] (dict, error) in
let itemDictionary = dict as! NSDictionary
let javaScriptValues = itemDictionary[NSExtensionJavaScriptPreprocessingResultsKey] as! NSDictionary
self.theUrl = javaScriptValues["URL"] as! String
// Build the SwiftUI view, wrap it in a UIHostingController then send to the main thread to update the UI
let contentView = ActionExtensionView(theUrl: self.theUrl, clickedCancel: self.cancel, clickedDone: self.done)
let childView = UIHostingController(rootView: contentView)
self.view.addSubview(childView.view)
// Set the place where your view will be displayed
let constraints = [
childView.view.topAnchor.constraint(equalTo: view.topAnchor),
childView.view.bottomAnchor.constraint(equalTo: view.bottomAnchor),
childView.view.leadingAnchor.constraint(equalTo: view.leadingAnchor),
childView.view.trailingAnchor.constraint(equalTo: view.trailingAnchor),
childView.view.widthAnchor.constraint(equalTo: view.widthAnchor),
childView.view.heightAnchor.constraint(equalTo: view.heightAnchor)
]
childView.view.translatesAutoresizingMaskIntoConstraints = false
view.addConstraints(constraints)
DispatchQueue.main.async {
self.present(childView, animated: true)
}
}
}
}
}
Apple really don't make it easy to develop for their platforms, do they?
I have a Logitech Yeti GX microphone, which is working, but i am unable to fully use all its features because of a driver issue. Logitech states the following to resolve "The program Logitech G Hub Driver installer tried to load a new driver extension. To enable this extension, open Systems Settings>General>Login Items & Extensions>Logitech G Hub HID Driver Extension> Toggle on.... that appears to be simple enough... only problem is that Driver Extension doesnt exist as an option for me. Any thoughts as to why not? Thanks for your help.
Hi,
I'm implementing a Message Filter Extension and need clarification about the ILMessageFilterExtensionNetworkURL Info.plist key.
Is it valid to include query parameters in the URL like:
https://example.com/test?id=123
I want to make sure this approach will pass App Review before implementing it. The query parameter would be used to identify the client making the filtering request.
Has anyone successfully used URLs with query parameters in their approved Message Filter Extensions? Any insights would be appreciated.
Thanks!
I am trying to return a SceneView from a DeviceActivityReport. I have my DeviceActivityReportExtension correctly set up and I am able to display a view with text or other UI elements in it, but attempting to return a SceneView as part of the body just won't display. I have this example. When I display this SceneView in my main app, it displays correctly. When I put the same code inside the DeviceActivityReportExtension, the scene does not show up and an error failed to create a gl context appears repeatedly in the console. I'm pretty stumped and would appreciate any suggestions.
import SwiftUI
import SceneKit
struct TestScene: View {
var scene: SCNScene? {
SCNScene(named: "art.scnassets/environment.scn")
}
var cameraNode: SCNNode? {
let cameraNode = SCNNode()
cameraNode.camera = SCNCamera()
cameraNode.position = SCNVector3(x: 0, y: 0, z: 2)
return cameraNode
}
var body: some View {
SceneView(
scene: scene,
pointOfView: cameraNode,
options: [
.allowsCameraControl,
.autoenablesDefaultLighting,
.temporalAntialiasingEnabled
]
)
}
}