WebAuthn Level 3 § 5.1.3 Step 22 Item 4 states the steps a user agent MUST follow when "conditional" mediation is used in conjunction with required user verification: Let userVerification be the effective user verification requirement for credential creation, a Boolean value, as follows. If pkOptions.authenticatorSelection.userVerification is set to required If options.mediation is set to conditional and user verification cannot be collected during the ceremony, throw a ConstraintError DOMException. Let userVerification be true. On my iPhone 15 Pro Max running iOS 18.5, Safari + Passwords does not exhibit this behavior; instead an error is not reported and user verification is not performed (i.e., the UV bit is 0). Per the spec this results in a registration ceremony failure on the server which is made all the more "annoying" since the credential was created in Passwords forcing a user to then delete the credential. : If the Relying Party requires user verification for this registration, verify that the UV bit of the flags in authData is set. In contrast when I use Google Password Manager + Chrome on a Samsung Galaxy S24 running Android 15, user verification is enforced and the UV bit is 1. Either the UV bit should be 1 after enforcing user verification or an error should be thrown since user verification cannot be performed.

WebAuthn Level 3 § 6.3.2 Step 2 states the authenticator must : Check if at least one of the specified combinations of PublicKeyCredentialType and cryptographic parameters in credTypesAndPubKeyAlgs is supported. If not, return an error code equivalent to "NotSupportedError" and terminate the operation. On my iPhone 15 Pro Max running iOS 18.5, Safari + Passwords does not exhibit this behavior; instead an error is not reported and an ES256 credential is created when an RP passes a non-empty sequence that does not contain {"type":"public-key","alg":-7} (e.g., [{"type":"public-key","alg":-8}]). When I use Chromium 138.0.7204.92 on my laptop running Arch Linux in conjunction with the Passwords app (connected via the "hybrid" protocol), a credential is not created and instead an error is reported per the spec.

We're having trouble connecting to local area network websockets in Safari in the latest iOS26 Beta 3 (iPhone 14), both secure and unsecure. Code works < iOS26 & macOS, etc. -- Unsecure behaviour: need to call connectWebSocket() twice, establishes connection reliably. Calling connectWebSocket() once, will sometimes work, sometimes not. -- Secure behaviour: Error in debug console, even though the certificate has been accepted and the page is loaded as https. Error: WebSocket connection to 'wss://192.168.1.81/api/webSocket' failed: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “192.168.1.81”, which could put your confidential information at risk. -- let apiEndpoint = window.location.hostname; if (apiEndpoint == null || apiEndpoint == '') { apiEndpoint = "192.168.1.81"; } function connectWebSocket() { if (webSocket && webSocket.readyState == 1) { return; } if (webSocket) { webSocket.close(); } webSocket = new WebSocket( (window.location.protocol === 'https:' ? "wss://" : "ws://") + apiEndpoint + "/api/webSocket", ); webSocket.onerror = (error) => { console.log("WebSocket error", error); }; webSocket.onopen = () => { console.log("WebSocket connected"); webSocket.send("volume"); webSocket.send("isPlaying"); }; webSocket.onmessage = (event) => { const msg = event.data; if (!msg) return; if (msg.startsWith("volume")) { const volume = parseInt(msg.replace('volume:','')); const slider = document.getElementById("volumeSlider"); slider.value = volume; slider.style.background = `linear-gradient(to right, #007bff ${volume}%, white ${volume}%)`; } else if (msg.startsWith("isPlaying")) { const url = msg.replace('isPlaying:', ''); let matchedEntry = null; let coverToSelect = null; categories.forEach((category, catIdx) => { category.entries.forEach((entry, entryIdx) => { if (entry.url === url) { matchedEntry = entry; coverToSelect = document.querySelector(`.cover[category-idx="${catIdx}"][entry-idx="${entryIdx}"]`); } }); }); if (matchedEntry && coverToSelect) { selectCover(coverToSelect, true); showNowPlayingBar(matchedEntry); const top = coverToSelect.getBoundingClientRect().top + window.scrollY - 150; window.scrollTo({ top, behavior: 'smooth' }); } } }; webSocket.onclose = () => { console.log("WebSocket closed, retrying..."); setTimeout(connectWebSocket, 1000); }; } document.addEventListener("visibilitychange", () => { if (document.visibilityState === "visible") { connectWebSocket(); } }); connectWebSocket();

Hi, I’m trying to detect whether my Safari Web Extension is running in Safari or Safari Technology Preview. Is there a reliable way to do that? I can get the executable path of the parent process using proc_pidpath(). However, unlike Chrome or Firefox, Safari extensions run under /sbin/launchd as the parent process, not the responsible process (browser’s binary). In this scenario, I need the executable path of the actual browser process, but I haven’t found a way to get it. Also, Safari doesn’t implement the Web Extension API’s browser.runtime.getBrowserInfo(), unlike Firefox. I haven’t tested it yet, but I’m considering checking the user agent string, though I’m not sure how reliable that would be. Use Case Some users use my Safari extension as a web development tool and want to enable some features exclusively in Safari Technology Preview, while using other features only in standard Safari. If I could detect which browser is in use, I could provide the appropriate functionality for them.

Hi Apple Devs & WebKit Team, We operate https://excnum.com — a personal website currently under reconstruction. It's HTTPS-secure, hosted on a clean VPS, and now features a simple placeholder page with no active forms, scripts, or external redirects. However, Safari on both iOS and macOS is flagging it as a “deceptive website”, blocking all access. This warning appears even though: The site uses a valid SSL certificate via Cloudflare There are no redirects, tracking scripts, or dynamic code We serve a static landing page (“under maintenance”) with zero interaction No malware, phishing, or obfuscation exists — verified with multiple tools A review request has already been submitted at: https://websitereview.apple.com We believe the site may have been blacklisted previously under past ownership or prior configurations. It has since been completely restructured and cleared, but the Safari warning persists. This false flag is harming visibility and trust for an otherwise neutral website. Any advice on how to expedite re-evaluation or request a manual delisting from the deceptive site list would be much appreciated. Thank you! — Alex Admin, EXCNUM.COM

Hi everyone, I’m encountering a critical reliability issue with message passing in my Safari Web Extension on iOS 18.4.1 and iOS 18.5. In my extension, I’m using the standard messaging API. The background script sends a message to the content script using browser.tabs.sendMessage(...), and the content script registers a listener via: browser.runtime.onMessage.addListener(handler); This setup has been working reliably in all prior versions of iOS. However, after updating to iOS 18.4.1 and 18.5, I’ve noticed the following behavior: ✅ The content script is successfully injected, and onMessage.addListener is registered (I see logging confirming this). ✅ The background script sends the message using the correct tabId (also confirmed via logs). ❌ The content script’s onMessage listener is not consistently triggered. ⚠️ This issue is intermittent, sometimes the message is received, sometimes it is silently dropped. ❌ No exceptions or errors are thrown in either script, the message appears to be sent, but not picked up from the content script message listener.

Hello there, For a video like this <video src="blob:safari-web-extension://***" autoplay="" loop="" style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; object-fit: cover; z-index: -1;"></video>, no matter if its local or remote, blob or mp4 files, is constantly being reloaded (refetched? revalidated?) if the loop tag is added. I can confirm there is actual constant traffic from the server based on my server logs. I am running iOS/macOS 26.

iOS 26 (from beta 1 to beta 2) We have a VPN app that installs a per-app VPN profile with SafariDomains to filter Safari network traffic. This setup works as expected on iOS versions lower than 26.0. See here more details on SafariDomains: https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf On iOS 26, all SafariDomains configured to go through the per-app VPN result in the following error: "Safari can’t open the page. The error was: Unknown Error" Additional Details: Only SafariDomains encounter this error. Other managed apps traffic through the per-app VPN works correctly. Steps to Reproduce: Install the VPN app with a per-app VPN profile. Configure SafariDomains with any URL (e.g., example.com). Open Safari and navigate to the configured URL. Example Configuration: We tested with a simple example by adding only one URL to SafariDomains (example.com). Logs from the console were captured at the moment Safari opened and encountered the error. safari_google2.txt Has anyone else encountered this issue on iOS 26? Any insights or solutions would be greatly appreciated. Thank you!

We are developing an app that uses Authentication Services to authenticate users. According to the documentation, this framework will open the default web browser if it supports auth session handling, and Safari otherwise. This is not entirely true, and users will be frustrated! macOS version: Sequoia 15.5; Safari version: 18.5. When: The default browser is not Safari, and supports auth session handling (Google Chrome and Microsoft Edge as examples); and - The Safari app is already running; The auth flow will: Present the confirmation dialog box with the default browser icon. Good! Open a Safari window, instead of the default browser's one. Bad! Respond with "User Cancelled" error to the app, after making the end user believe the auth was good. Very Bad!! If the app retries the auth session, the default browser window will open as expected, and it will work as expected. However, requiring users to authenticate twice is a very bad users experience... This issue does not reproduce, when either: Safari is not running at the moment of auth session start; The default browser does not support auth session handling; or - Safari is the default browser. Fellow developers, be warned! Apple engineers, feedback #18426939 is waiting for you. Cheers!

This is my first post, so please forgive me if it is to the wrong area. I've been using Tahoe for a few days and, overall, it's very stable. But the one thing that has bothered me to no end is Safari's new behavior with respect to its header (Address bar, Favorite bookmarks bar, tab bar) background color. The web content of the active tab seems to affect everything - and oftentimes makes things completely unreadable - at least in "Dark" mode. For instance, if a web page uses a white background, the Favorites bookmark labels are the same color as the bookmark background, so reading the labels is simply impossible. At other times, they're just very difficult to read. Similarly, it is almost always impossible to tell which tab is the active one - my only workaround is to try 100% brightness....or to just guess. When Apple previously experimented with letting content bleed through to the top, there was a setting for stopping it - but I don't see such a setting anymore. Do you you know of any way to stop this effect?

I'm not loving the huge Favorites icons in Safari on MacOS 26, is there a way to reduce the size of them so that we can see more favorites on the list without scrolling down?

We are seeing logs were on iOS devices we see some keyframes request. but on safari browser don’t see any request like this. could you please explain what is it. /d8ceb9244ff889b42b82eb807327531-c27dbcb10e0bbf3cde6c-1/d8ceb9244ff88e9b42b82eb807327531-c27dbcb10e0bbf3cde6c-1/keyframes/hls/.

I’m a developer working on a Safari Web Extension that’s distributed via the App Store and also tested locally through Xcode. I’m running into an issue that’s affecting my ability to debug errors reported to my Sentry error logging instance from production. The Problem When an error is thrown in one of my extension scripts (e.g., background.js, popup.js, or content.js), the error is sent to Sentry but the captured JavaScript error stack trace replaces the file paths with the webkit-masked-url://hidden placeholder like this: ReferenceError: Cannot access uninitialized variable. at ? (webkit-masked-url://hidden/:14677:28) at ? (webkit-masked-url://hidden/:16307:3) This happens consistently across both App Store builds and local Xcode runs. It prevents me from seeing which script the error came from or resolving the actual source code lines using uploaded source maps in Sentry. My Setup Safari Version: 18.5 (Stable on macOS) Distribution: App Store and local Xcode development Extension Type: Safari Web Extension Error Reporting: Sentry (@sentry/browser SDK) Bundler: Webpack with inline-source-map What I’ve Confirmed I can see the actual source files in Safari’s Web Inspector under the Sources tab when the extension is running. My source maps are uploaded to Sentry correctly and are associated with the matching release. Errors from Safari are being captured by Sentry, but the file URLs are masked, so stack traces cannot be resolved against my original source. My Question Is this behavior (masking file URLs in stack traces with webkit-masked-url://hidden/) intentional for Safari Web Extensions? If so, is there any supported method or workaround to allow exception stack traces to reveal the original script path (e.g., popup.js, background.js) so tools like Sentry or even console logs can point to real locations? I fully understand the privacy/security rationale behind the masking, but as the extension developer, this is making it extremely difficult to debug runtime issues in production. I’d really appreciate any insight into: Whether this masking is expected and permanent behavior If there are any entitlements, debug settings, or Info.plist keys that can alter this behavior for development or for trusted/own extensions If Apple recommends a different way to log extension errors that includes script name or source references Thanks in advance for your help! I’m happy to share more technical details or try out suggestions.

Based on the "Build immersive web experiences with WebXR"-Video for visionOS there is no way to disable the consent prompts for entering an immersive experience or consent hand-tracking. For the microphone it's possible to "greenlight" specific websites for mic input, which works great. I'd welcome it, if it were possible to add specific websites in the settings, in which those consent dialogs aren't shown each time. In my opinion, the user interaction through a button that launches the experience would be sufficient to not disorient.

Hey everyone, After installing iOS 26 beta, I started noticing unexpected behavior in our input event handlers. Specifically, when users type into an field, event.target.value is always an empty string — but only when the JS file is loaded from a specific domain (e.g., t1.daumcdn.net). The exact same code works perfectly when hosted on other domains like t2.daumcdn.net or search1.daumcdn.net. 👉 I created a demo here: 🔗 https://codepen.io/bzasklcu-the-sans/pen/rNXogxL The scripts loaded from each domain are 100% identical (apart from the top-level selector). Before iOS 26 beta, this worked fine. I suspect this is related to ITP or some new cross-origin behavior in Safari, but I’d love to know if anyone else is running into this — or if someone knows a workaround. Thanks!

Hey everyone, After installing iOS 26 beta, I started noticing unexpected behavior in our input event handlers. Specifically, when users type into an field, event.target.value is always an empty string — but only when the JS file is loaded from a specific domain (e.g., t1.daumcdn.net). The exact same code works perfectly when hosted on other domains like t2.daumcdn.net or search1.daumcdn.net. 👉 I created a demo here: 🔗 CodePen Demo The scripts loaded from each domain are 100% identical (apart from the top-level selector). Before iOS 26 beta, this worked fine. I suspect this is related to ITP or some new cross-origin behavior in Safari, but I’d love to know if anyone else is running into this — or if someone knows a workaround. Thanks!

Hello, I am developing a Mac application via Mac Catalyst and encountering an issue with WKWebView. Specifically, I'm loading a webpage (e.g., https://translate.google.com) in WKWebView, but when I press the copy button on the page, the content doesn't actually copy to the clipboard. I've attempted modifying the UserAgent without any success. Here is the relevant part of my code: override func viewDidLoad() { super.viewDidLoad() let config = WKWebViewConfiguration() config.preferences = WKPreferences() config.defaultWebpagePreferences.preferredContentMode = .desktop let webView = WKWebView(frame: .zero, configuration: config) webView.translatesAutoresizingMaskIntoConstraints = false view.addSubview(webView) webView.scrollView.showsVerticalScrollIndicator = false webView.backgroundColor = UIColor.white webView.scrollView.backgroundColor = UIColor.white webView.leadingAnchor.constraint(equalTo: view.leadingAnchor).isActive = true webView.topAnchor.constraint(equalTo: view.topAnchor).isActive = true webView.trailingAnchor.constraint(equalTo: view.trailingAnchor).isActive = true webView.bottomAnchor.constraint(equalTo: view.bottomAnchor).isActive = true if let url = URL(string: "https://translate.google.com") { let req = URLRequest(url: url) webView.load(req) } }

On iPads after updating to iPadOS 16.4, Safari often "looses" the session cookie provided by PlayFramework: When the browser requests assets (js scripts) or when additional data is fetched by JavaScript, the session cookie is not included in the request. These secondary requests will redirect through our IAM because no session cookie is present. The IAM redirects back to the original domain with a payload so that the login session can be resumed. A new Set-Cookie header is sent in the response with the new session cookie. This causes the framework to issue a new CSRF token (that is part of the session cookie) which is different from the old one that was already rendered into a hidden form input. The browser stores this new token and includes it when it POSTs the form. The token in the body of the request is now different from the one in the cookies, causing the CSRF check to fail. We have tried different devices (Android, Windows, MacBook, and iPads) on different versions. The problem only occurs with Safari on iPad/MacBook running version 16.4, 16.4.1, or 16.5 beta. The problem cannot be reproduced using Chrome on iPad. Furthermore, the problem does not occur with private browsing in Safari. Some things we ruled out: Same behaviour on devices managed by MDM and on open devices. PlayFramework version is now updated to the latest 2.8 version. Using a separate cookie for the CSRF token (instead of the play session cookie) does not make a difference either. Modifying the Cache-Control header to cache responses more aggressively or not at all does not help. Has anyone also experienced this or similar problems?

Hi everyone, I'm exploring the new app icon appearance options (Clear, Dark, Tinted) for Progressive Web Apps (PWAs) on iOS26, iPadOS26, and macOS26. Currently, PWA icons don't seem to render well with these new appearances, particularly in Clear and Tinted modes, resulting in very very poor visual quality. You can hardly see anything. Has support for these icon appearances been fully implemented for PWAs? If so, could someone point me to the relevant Apple Developer documentation or provide guidance on how to configure PWA icons to support Clear, Dark, and Tinted appearances? I've searched the Apple Developer Forums, Stack Overflow, and Reddit but haven't found clear information on this topic.A possible solution is a png file with transparent areas, but if the pattern is dark, nothing will be visible in dark mode. Any insights or resources would be greatly appreciated. Thanks! (plz don't give up on PWA😭) Reference: https://developer.apple.com/forums/thread/761615 https://stackoverflow.com/questions/78780916/is-there-a-way-to-provide-light-dark-and-tinted-variants-of-apple-touch-icon https://developer.apple.com/library/archive/documentation/AppleApplications/Reference/SafariWebContent/ConfiguringWebApplications/ConfiguringWebApplications.html

Hi, this is my first post in the community, so please correct me if i am posting this somewhat in a wrong manner. Im using my Apple M1 Pro(14inch, 2021) and installed the os 26 yesterday. Today, I was using Safari, and all of sudden it gets frozen, then the following window popped up. Is this something expected? i.e. my usage is somewhat unusual or is there any report around potential memory leak in Safari? appreciate any suggestions, as Safari is my main browser and currently on hold due to this issue. Thanks