Hi,
I have developed a simple web proxy application in order to block/allow connections based in some user-defined criteria. HTTP/S traffic is being injected into this proxy by means of PF rules.
I have noticed that when I enable Screen Time -> Content & Privacy Restrictions -> Limit Adult Websites, then two things happen:
- A network kernel extension is loaded
- com.apple.nke.webcontentfilter
- A user-mode proxy is launched
- com.apple.webcontentfilter.dns
- com.apple.webcontentfilter.proxy
It seems that the NKE is setting a socket filter globally in order to redirect traffic to that user-mode proxy (/System/Library/PrivateFrameworks/WebContentAnalysis.framework/Resources/webfilterproxyd)
I have observed that with Safari, the PF rules still have effect and my simple web proxy is feeded with traffic (checked with wireshark, pfctl & lsof)
On the other hand, that behaviour is not reproduced using other browsers (e.g. Chrome & Firefox).
I would need assistance/advice in order to understand why Safari is behaving differently.
Thank you in advance.
--- Test env ---
- OSX 12.6
- Safari 16.0
- Chrome 106
- Firefox 106
