In Safari 18.4, when loading https://facebook.com, the browser uses traditional HTTPS over TLS 1.3 (TCP/443), and the SNI is visible in the ClientHello. Our NetworkExtension-based app parses this handshake to extract the domain name.
However, in Safari 18.5, the same request to facebook.com now defaults to QUIC protocol (UDP/443) and bypasses TCP/TLS. As a result, we no longer receive the SNI or any domain information, breaking our functionality which depends on SNI parsing from TLS.
Expected Behavior: Safari should provide a configuration or fallback mechanism to disable QUIC per-domain or globally. Alternatively, Safari should expose domain name info in a way that respects platform-level filtering tools and extensions.
Steps to Reproduce: Open Safari 18.5 Navigate to https://facebook.com Observe that the request uses QUIC (UDP/443) Attempt to extract SNI using NetworkExtension's packet inspection — fails due to QUIC
Impact: This behavior breaks endpoint security and monitoring tools that rely on SNI visibility Not backward-compatible with Safari 18.4
Notes: Behavior not observed in Safari 18.4 (domain visible via TLS ClientHello) Observed only for facebook.com and a few other major domains We use a NEFilterDataProvider and NEFilterPacketProvider for analysis