I'm wondering if there's a way to capture the SSL/TLS key log / ephemeral keys from Safari for troubleshooting like there is for Firefox & Chrome by setting the SSLKEYLOGFILE environment variable. I'm troubleshooting an issue where Safari doesn't load certain CSS and JPEG elements on the first load, but when hitting refresh, those same elements load fine. Clearing the cache or using "disable caches" in the network tab of the inspector will cause the elements to fail to load again. Safari shows that it received a header, but no content. Wireshark shows four TCP/RST packets coming from the client / Safari. The same site loads without issue every time using Firefox or Chromium. I'm hoping that someone knows how to capture the TLS session keys from Safari so I can look deeper into the packet capture and figure out if Safari is incorrectly parsing the server's response or if there is some subtle corruption in the response that Safari rejects, but other browsers accept. So, does anyone know how to capture the raw data transfer or TLS session keys from Safari? Thank you!

Since iOS 17.4 when open a camera in Safari, video stop when download popup appear and video doesn't restart expect when go to home menu and reopen Safari This comportment wasn't present before 17.4 To Reproduce : https://zcqqjd.csb.app/ Step 1 : Click on start Camera Step 2 : Click on Download Picture

My organization is using mutual TLS authentication for HTTPS, with PIV cards storing the certs. We observe that some OS X devices send only the leaf certs when establishing the mTLS connection, whereas others send the entire chain. We cannot validate the leaf cert without the intermediate cert, so those clients are rejected. What drives the decision whether to send the whole chain, vs the leaf cert only? For more details, and some things we observed. The PIV cards are US DoD CAC cards: https://www.cac.mil/common-access-card/ The client cert chain on the card looks like this: Leaf client cert, CN=LastName.Name Intermediate cert, CN=DOD ID CA-70 "Root" cert, CN=DoD Root CA 6 through 8.: Additional interoperability certs. Our system is set up to trust the "root" cert CN=DoD Root CA 6. Neither the leaf cert, nor other certs in the chain are trusted by Apple Keychain Trust Store by default. We find that most laptops will send the entire chain, 1 through 8, when establishing the mTLS connection with our servers. This allows us to validate them correctly. On a subset of OS X devices, Google Chrome will only send the leaf chain. This happens even when we use exact same PIV card, and exact same PIV reader as on working laptops. Safari will not send any cert at all. We found that if we explicitly add the CN=DoD Root CA 6 to the Apple Trust Store, Google Chrome and Safari will start sending a short chain, containing only certs 1 through 3. This allows the server to validate them. When we remove it from Trust Store, Chrome is back to sending only leaf, but Safari will not even send the leaf. Again, this only happens on some laptops; on most of the laptops, both Safari and Google Chrome will send the entire chain, regardless of whatever is set up in Trust Store. My suspicion is that for some reason, on those laptops, Safari will not send the client certs that OS X doesn't trust. This makes sense, but this is not the behavior we want. We want the same behavior on the working laptops, which is to send the whole chain. All of our laptops are on OS X 14.4

Our app uses Azure B2C for SSO login, and we are noticing a bug on Safari 17.x (any browser on iOS 17.x, and Safari 17 on Mac OS) where the Azure B2C cookies go missing during the registration process, which leads to a broken user experience. The following cookies are the ones that go missing The only forum posts related to this issue I have come across are these: https://techcommunity.microsoft.com/t5/azure/azure-app-on-ios-17-not-working/m-p/3958809 Which links to this https://techcommunity.microsoft.com/t5/intune-customer-success/day-zero-support-for-ios-ipados-17-and-macos-14/ba-p/3930010 Is this in bug that will be fixed in an upcoming release on Safari 17.x?

Even when iOS's '"." Shortcut' keyboard setting is enabled, double-tapping the spacebar in WKWebView doesn't insert a period. While making WKWebView editable , "." shortcut is not working. It works fine when any other external keyboard is used. I am facing this issue in WKWebView using apple keyboard. Even forceful adding javascript to replace double tap of space bar to period character logic is not working.

Hi I am using safari in iPad OS (17.4). when I am checking the user agent, It is showing like Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 there is no indication that it's from iPad. How would I detect iPad from user agent whereas on IPhone it can easily be detected. Could you please help me here?

Safari 17.3 - Where did Menu Item Develop: 'Disable Java' go? Is there a method to re-enable it?

I had my website perfectly opening before the iOS 15 update for iPhones. But after that whenever anyone is opening my website it shows blank screen. It is working fine MacBook safari, chrome and all other android devices. Here is the link to the website : [https://startstaging.web.app/PO/1709528483037) I have cleared history, cache, have done resetting the phone, still it hasn't done anything. I don't know how to make it work, do help.

Why is the image on the tab page not updated in real time when the href value of the tag element changes?

Hi, We have recently observed that support for PWAs has been ended in the EU region in iOS 17.4. The changes were visible while the OS was in beta as well. We have a web app with our user base in the US. Is there any plan for these restrictions to be implemented in any other region?

It is 2024. WebGPU has been available for Safari on desktops since December of last year, as well as other browsers for quite some time. It's about time it was made available on the IPAD; at the very least as an advanced feature. WebGPU provides many opportunities to create compelling experiences in other browsers on different device, but not in the Safari browser for IPAD users. I bought an IPAD a few years ago, but the lack of ability and sub-par software, is one of the reasons I can't justify buying another, and many students feel this way. I know so many that are still buying android and surface pros because we are being held back from both creating and consuming newly possible web experiences when we use IOS devices. There are quite a few other things we need, such as a proper set of dev tools, even just for the browser, but webGPU is a must in order to stay competitive. Students who bought IPADs for school and for development need to be allowed to keep up with those using other platforms. Machine Learning, Signal processing, image processing, anything could benefit from compute shaders and uniforms... massive number crunching capability is a must going forward in the web, and those with IPADs need to be allowed to take part. More capabilities will equal more sales.

I'm revisiting code I developed a while back for managing data entry about users, which includes giving them a username and password in the form that an administrator uses. I thought I'd found a way previous to get Safari to NOT try to over-write a field called username with the administrator's username and to NOT store the password they'd entered / reset against their credentials stored in the administrator's keychain. It seems to still be working in other browsers, but for Safari, it's stubbornly popping up "save this password" and offering to autofill... it's driving me nuts. Is there a solution?

We have a payment process in an app which involves loading up a Web page to allow a user to enter credit card details, and to complete a transaction. This web page may result in a 3D-Secure step up challenge. For PCI compliance purposes we launch this in a SFSafariViewController. This 3D secure process involves a collection of redirects, with a final one back to us known as the "Merchant Page". In here, we want to do one more redirect, using a custom URL scheme, to allow the app to recognise that the process has completed, and can safely dismiss the SFSafariViewController. In those cases where no "step up 3d challenge" occurs, the process works well, the final redirect occurs, and our app successfully dismisses the SFSafariViewController. However, in a step up challenge, the Merchant Page loads, but any attempt to do the final custom redirect does not execute. I believe this is a feature of Safari - What I think is going on is that enough time has passed since there was user interaction on the page, and the final redirect, which isn't a https or http link (it is a myapp:// link) simply gets ignored. We've tried a lot of things. One thing works: If we provide a button, and when it is tapped, it sets window.location.href = 'myapp://success?', this works. This is a clue to if it is cause by lack of user interaction. We've tried lots of things: Rather than a javascript redirect, we tried server side redirecting; we tried all of the HTTP 300 response codes. They were all ignored We tried the meta refresh (which we know is kinda deprecated). We tried window.location.href = , window.location.assign(), document.location.href, document.location.assig(), etc. We tried issuing an Ajax XMLHttpRequest, but this failed because it isn't https or http We even tried to suggest our non-standard URL was the source of a script, just to trigger it but it didn't work. We've tried calling in during body onload We've tried calling it using a timeout in case timing was relevant. My gut feeling here is this is a feature. I've used Safari Debugging, and it literally steps over the window.location.href assignment, and doesn't produce a warning or an error. We've added try/catch, and no exception was thrown. Again, it leads me to believe this is all by design (perhaps to prevent ad fraud or something?). I was kinda hoping that in the response, we'd be able to specify a CORS header that tells the browser that "it will be ok to use resources from myapp://", but haven't found the right one. We may end up having to simply produce a button with a message "Your transaction has completed, please press here to dismiss", but it is terrible UX that is unnecessary. I've seen a number of posts elsewhere suggesting that redirects without user interaction can be considered suspicious, and I've experience of this same problem on another browser. If anyone has cracked this one, I'd love to know how

Can someone share how secure is the communication between iOS app and its safari mobile extension. Is it encrypted? Are there any references to best practices to follow? If a user has opened multiple tabs and has multiple extensions can there be security issues during their communication like one extension able to read other extensions memory?

I'd like to place a search bar of top of the main window of my visionOS app. It should look similar to Safari's search bar, and also show search results as the user types. How can this be accomplished?

Problem statement- WKWebView cookies management. We need to clone the connection used by the WKWebView to the same end point, this connection utilize cookies for routing and missing even one the cookies will end up with a wrong route to be used. It appears that when retrieving the cookies from the WKWebView connection some cookies are missing. From some analysis seems that the missing cookies all have in common a value containing special characters. The question for Apple is if they are going to relax the constraint on cookies value to allow such cookies to be used. Technical Description:- We are using WKWebView. There are some cookies being set during server connection. We are retrieving all cookies using 'getAllCookies' method of WKWebview. Sometime its not giving correct set of cookies in case if there are any special characters in any cookie. For example - Cookie- ss2QKagAdkAV3My1pnKElaFDnQ6lxhgqNbD03IaRbX6WfDz2+P9dT6DdlK8G5WIH3svEATnehZSmWGQ3QFTnew==\n It contains special character "+ = !".

The Safari version for VisionOS (or spatial computing) supports WebXR, as reported here. I am developing a Web App that intends to leverage WebXR, so I've tested several code samples on the safari browser of the Vision Pro Simulator to understand the level of support for immersive web content. I am currently facing an issue that seems like a bug where video playback stops working when entering an XR session (i.e. going into VR mode) on a 3D web environment (using ThreeJS or similar). There's an example from the Immersive Web Community Group called Stereo Video (https://immersive-web.github.io/webxr-samples/stereo-video.html) that lets you easily replicate the issue, the code is available here. It's worth mentioning that video playback has been successfully tested on other VR platforms such as the Meta Quest 2. The issue has been reported in the following forums: https://discourse.threejs.org/t/videotexture-playback-html5-videoelement-apple-vision-pro-simulator-in-vr-mode-not-playing/53374 https://bugs.webkit.org/show_bug.cgi?id=260259

The SFSafariViewController documentation mentions not to display content from websites when using the pageSheet and formSheet presentation styles for the In-App browser. Is this a hard restriction that is enforced or more of a loose guideline? And if possible, providing the reasoning behind it would be great. Thanks in advance.

Trying to test application using the WebXR features of Safari on Vision Pro. The colors of the objects in the scene when viewed in the normal Safari window look correct. Upon entering immersive mode all the colors are washed out. I've read reports of this issue elsewhere on the web with no cause or solution given. What could be causing this? The Vision Pro is running visionOS v1.0.3.

Safari Browser killing Long Running API requests after 60 seconds. Do we have any way to increase a timeout limit?