I am posting here because we have an urgent issue affecting the operation of our service and are in need of a solution after our own analysis has come up with few answers. Beginning in iOS 18.2.x, we experienced exactly the same issue as the author of this thread, as we are also operating a service that allows for device certificate login for users configured to require one: https://developer.apple.com/forums/thread/767374 The author seems to have resolved the issue but the fix mentioned in the thread did not resolve our problem for iOS devices with iOS 18.2.x installed and the contents of that private support ticket are, of course, not visible to us. Furthermore, we have a different issue that surfaced with the release of iOS 18.3.x. Namely, the issue in iOS 18.3.x is more severe than the one in iOS 18.2.x, in that instead of simply taking a long time for the certificate/identity selection dialog to appear, it simply fails immediately and is returning a “no certificate selected” response to our server. One thing to note here is that, curiously, if we wait for several seconds (about 10-15 seconds) this behavior is not replicated. So, it seems there is potentially something going in the background, and the certificate selection process will only occur successfully like before if we wait. This is a very unideal workaround. After entering user credentials, we have the user navigate to a dedicated certificate authentication page. On the BIG IP side, upon users visiting this page, we have it configured to apply an SSL profile that contains appropriate CAs for the given user, and then requests to the browser that a new connection requiring a certificate be made. We are investigating this by checking logs in in a variety of places: We can verify in BigIP logs that a response is being returned to the server without a certificate included. For the sake of our application, this is handled as a “user did not select a certificate” event, and thus the attempted login is failed. Using the MacOS “Console” application, we are able to see the following logs from the “trustd” process of the target iOS 18.3.x device: Failure case: debug 11:19:49.648581+0900 trustd XPC [com.apple.WebKit[1034]/1#25 LF=0] operation: trust_evaluate (8) debug 11:19:49.648766+0900 trustd complex trust settings anchor Successful case (after waiting 10-15 seconds after initial login page load/before moving to certificate page): debug 11:26:02.803153+0900 trustd XPC [MobileSafari[1031]/1#169 LF=0] operation: trust_evaluate (8) debug 11:26:02.804219+0900 trustd non ev score: 121 <private> There appears to be no attempt by MobileSafari to initiate the display of a certificate selection window in the failure cases. The iOS device is swift to return a response with no certificate selected to Big IP, and the result of “no certificate selected” is thus propagated through Big IP and ultimately to our web service. Does anyone have any advice or information on the following? Recommended tools to gather more data that may be pertinent. Any ideas on changes in iOS 18.2.x+ that could have resulted in the behavior changing as described above? If more information is necessary, I will do my best to supply it. Thank you in advance!

We are currently running a lightweight server within our iOS mobile app to pass a unique device ID via localhost for device-based restrictions. The setup works by binding a user's email to their device ID upon login, and later, when they attempt to log in via a browser, we retrieve this ID by making a request to http://localhost:8086/device-info. However, we're encountering an issue when making this request. Here’s the error message: Error fetching device info: TypeError { } r@webkit-masked-url://hidden/:27:166011 value@webkit-masked-url://hidden/:27:182883 @webkit-masked-url://hidden/:27:184904 We are making this request from an HTTPS website, and we suspect this could be related to mixed-content restrictions. Could you guide us on how to properly make localhost requests over HTTPS, especially in a production environment with the necessary security measures? Any insights or best practices on resolving this issue would be greatly appreciated.

I reported this bug one year ago in https://developer.apple.com/forums/thread/746406, but as it is not been fixed yet, I'm going to try by opening this new incident report. iOS is not working for the Unicode Variation Selector-15 (U+FE0E) for all the characters. Can you please apply that variation selector to all your Unicode characters? I) Steps to reproduce the issue: navigate in safari to the page https://eurovot.com/vs.htm II) Expected result: as the 1st column of characters have the Variation Selector-15 (U+FE0E) applied, and the 2nd column have the Variation Selector-16 (U+FE0F) applied, the first column should always display text characters (in orange) and the second column emoji characters. III) Error result: some characters are working fine in the 1st column and displayed as text (in orange colour), but some other aren't displayed as text, they wrongly displayed as emojis instead.

I'm referring to the following: https://developer.apple.com/documentation/automaticassessmentconfiguration I can't find this information anywhere. I'm wondering if I can enable and disable this function in Safari or other browsers on my website.

I'm posting a question here as I have encountered an issue while seeking help from engineers in the thread. thread773837 If the "Not Secure Connection Warnings" is enabled in Settings > App > Safari, are HTTP connections not allowed under any circumstances? I also posted a question about NSAllowsLocalNetworking not being applied, and I was informed that ATS (App Transport Security) is not related to SFSafariViewController. If that's the case, what feature causes the error "Safari cannot open the page. Error: Failed to navigate to an HTTP URL with HTTPS-only mode enabled"? I am currently working to resolve this issue.

Hi, now we could try WebGPU by manually enabling it in feature flags in no matter Safari or Safari technology preview on macOS. But, do we know when this WebGPU feature would be enabled by default or any plan to enable it by default in Safari? Thanks!

We are building a Safari web extension utilising native messaging, to send messages to the Swift native part of the app. We sometimes experience, that the beginRequest handler is executed multiple times, at the same time. We have a special part of the code in the handler, that must be run only once. Because it uses NS defaults storage, and also because it calls our servers. We have tried to use a serial dispatch queue, as well as other locking and mutex techniques, to no success. We suspect that the instances of the handler are isolated in a way, that these locks don’t work (maybe they don’t share memory?). But we are not sure. When looking at os_logs from the handlers, they all share the same PID. Has anyone experienced anything similar and can shed some light on what's going on?

Hi all, Chrome has it already - animation-timeline aka scroll-animations. I can nowhere find any informations on what's the status in Safari/Webkit. Seems like they do not have it on the agenda at all? Does anyone know anything - I wanted to push a feature request for that - but also seem there is no feature request list anymore for webkit. See: https://www.w3.org/TR/scroll-animations/ Cheers and kind regards!

How can i add Authorization header to a wkwebview. I checked https://developer.apple.com/documentation/foundation/nsurlrequest#1776617 which says Authorization header is a reserved http header and shouldn’t be set. I want to set it when requesting a url to the server which will be used for verification. How can i do that?

I'm not sure if this is even the right place to ask this, or voice this complaint if there's no fix. If not, please direct me where to go. I'm trying to switch all my development over to Safari, but the tab sidebar is driving me absolutely insane. Let's say I have a bunch of tab groups expanded, and I collapse the sidebar to focus on the webapp I am building. When I toggle to show the sidebar again, every single tab group is collapsed. Why is it 2 clicks to see the tabs in the sidebar? Even with zero tab groups, and just tabs in the workspace, if you collapse the sidebar it'll collapse the list of tabs. Is there some hidden setting for this? Who do we have to complain to?

Hi, We have a native application with a webview part. When we open the app, we load webview resources in a false foreground. The webview communicates with the native part to query local variables, among other things. We have noticed that for the past few weeks, when the biometric component is presented to enter the fingerprint or faceId, while the component is displayed, the webview does not respond. We do not see the calls made by the webview, nor can we respond to them. Even if you open the Safari debugger, the webview does not respond UNTIL you close the biometric component in the native part. This has created a big problem in our app, and we wanted to know if it is an issue you had on your radar. Thank you very much.

I can open an app (e.g. tiktok) from a website of mine by using the deeplink “tiktok://open”, if the app is installed on my iphone. What's the deeplink to launch TestFlight? Thanks in advance

Hello! I've made a Safari extension that supports command "ReTab", and a couple of month ago, adding a customized macOS shortcut for Safari with menu title "ReTab" did trigger the extension. However, it's not working anymore and I'm not sure if it's from macOS/Safari update or because I changed manifest from v2 to v3 - could you help check if there's anything wrong with either the manifest.json or background.js? (the default Cmd+E still works) Thank you in advance! Xun manifest.json: { "manifest_version": 3, "default_locale": "en", "name": "ReTab", "description": "Go to the last active tab with Cmd+E!", "version": "1.4", "homepage_url": "https://LycheeIsle.com", "background": { "service_worker": "background.js" }, "action": { "default_icon": "images/toolbar-icon.svg" }, "permissions": [ "commands", "tabs", "storage" ], "commands": { "ReTab": { "suggested_key": { "default": "Command+E" }, "description": "Go to the last active tab" } }, "options_page": "options.html" } in background.js, I have this line which should listen to the command, and Cmd+E works but any customized shortcut for "ReTab" in Safari doesn't: browser.commands.onCommand.addListener(async (command) => { if (command === "ReTab" || command === "retab") { await retab() } });

Safari 18.0.1 on macOS 15.01 doesn't support the Passkey PRF extension during cross-device WebAuthn authentication when using QR code scanning, while it works correctly with iCloud passkeys. Steps to Reproduce: Clone and setup: git clone https://github.com/quocle108/passkey-prf-test yarn yarn start Test iCloud Passkey Flow: Open http://localhost:3000 in Safari Open DevTools (Cmd+Option+I) Click "Register" Choose "Passkey on iCloud" Expected console output: PRF supported: true Test Cross-Device Flow: Click "Register" Choose "Phone/Tablet" Scan QR with mobile device Expected: PRF supported: true PRF extension should be supported in cross-device flow, matching iCloud passkey behavior. Actual: PRF supported: false Cross-device flow returns empty extension results. Verify in Chrome Repeat steps 2-3 in Chrome Both flows return proper PRF extension results: PRF supported: true Test Environment: Browser: Safari 18.1.1 , Chrome 131.0.6778.70 OS: macOS 15.01 Mobile: iOS 18.x / Galaxy Note9 Android 10 Test repo: https://github.com/quocle108/passkey-prf-test

I am currently developing an app using WKWebView. In iOS 17, Apple introduced ProxyConfiguration, and I have two questions regarding its usage: Is there a way to use ProxyConfiguration to distinguish between HTTP and HTTPS traffic? I have reviewed the documentation but couldn’t find a clear method for this. As an alternative approach, I am attempting to determine the request scheme within WKWebView and switch proxyConfigurations just before loading the request. My current implementation sends requests to hoge_a by default and switches to hoge_b only for HTTP traffic. 　 if #available(iOS 17.0, *) { if URLString.contains("http:") { webView.configuration.websiteDataStore.proxyConfigurations = [hoge_b] } } webView.load(request) if #available(iOS 17.0, *) { if URLString.contains("http:") { webView.configuration.websiteDataStore.proxyConfigurations = [hoge_a] } } 　 2. Since I modify proxyConfigurations every time webView.load(request) is called, are there any potential issues or concerns with this approach? I would appreciate any insights you may have on either of these questions.

If "Not Secure Connection Warnings" is enabled in the Settings > App > Safari, are no HTTP connections allowed? Setting NSAppTransportSecurity does not seem to apply either.

Dear Apple Developer Experts, We're experiencing an intermittent issue with WKWebView in our macOS application where local HTML file access is occasionally denied by the sandbox, despite proper implementation and permissions. We seek your guidance in understanding and resolving this issue. Issue Description: The WKWebView occasionally fails to load local HTML files stored in the app's Contents/Resources directory Error occurs in WebKit Networking Process with sandbox denial Issue is intermittent and can be resolved by app restart or WebKit Networking Process restart Affects all local HTML files in the same directory once the issue occurs Technical Details: Error from Kernel Log: 2025-02-07 14:57:17.179821 +0800 kernel Sandbox: com.apple.WebKit.Networking(58661) deny(1) file-read-data /Applications/DingTalk.app/Contents/Resources/webcontent/contact-2024.html WKWebView Delegate Error (captured in WKNavigationDelegate method): (void)webView:(WKWebView *)webView didFailProvisionalNavigation:(WKNavigation *)navigation withError:(NSError *)error Error Details: Domain: NSPOSIXErrorDomain Code: 1 Description: "Operation not permitted" UserInfo: { networkTaskMetricsPrivacyStance: Unknown, _NSURLErrorFailingURLSessionTaskErrorKey: LocalDataTask &lt;3694CA1E-481B-4E06-975D-E3A56AD56C0F&gt;.&lt;1&gt;, _kCFStreamErrorDomainKey: 1, _kCFStreamErrorCodeKey: 1 } Key Observations: Error is captured in WKNavigationDelegate's didFailProvisionalNavigation method The issue affects all local HTML files in the same directory once it occurs Temporary workarounds we've discovered: Restarting the application completely resolves the issue Without restarting the application, terminating the "WebKit Networking Process" via Activity Monitor causes the process to automatically restart, and this resolves the issue and load works again Additional Information: We've collected complete system diagnostics (system_logs.logarchive) at the time of failure The issue appears similar to discussions in Apple Developer Forums (https://developer.apple.com/forums/thread/110072), though we're uncertain if it's the same root cause We've prepared a minimal demo project demonstrating: Our release version app can be downloaded from: https://dtapp-pub.dingtalk.com/dingtalk-desktop/mac_dmg/Release/M1-Beta/DingTalk_v7.6.45_43521682_universal.dmg?spm=0.0.0.0.UuwovG&amp;file=DingTalk_v7.6.45_43521682_universal.dmg for examining our app's codesign, sandbox, and entitlements configurations if needed Important Investigation Finding: We attempted to simulate the issue by using chmod 000 /path/to/test.html, but this produces a different error: CopyError Domain=NSURLErrorDomain Code=-1102 Description="You do not have permission to access the requested resource." UserInfo={ NSLocalizedDescription=You do not have permission to access the requested resource., NSErrorFailingURLStringKey=file:///Users/sunus/Library/Developer/Xcode/DerivedData/WKWebViewLocalDemo-eumardnlfbmwgnhkaadglsrrhzhs/Build/Products/Debug/WKWebViewLocalDemo.app/Contents/Resources/test.html, NSUnderlyingError=0x600003aedc50 {Error Domain=kCFErrorDomainCFNetwork Code=-1102 "(null)"} } This error is distinctly different from our original issue's "Operation not permitted" error, suggesting that the sandbox denial we're experiencing is not a simple file permission issue. Questions: Is this a known issue with the WebKit sandbox in recent macOS versions? Are there recommended best practices or workarounds to prevent this sandbox denial? Could this be related to the WebKit Networking Process's sandbox configuration? Are there additional diagnostics or logs we should collect to help investigate this issue? We appreciate your assistance in investigating this issue. Please let us know if you need any additional information or clarification. STEPS TO REPRODUCE Open App Then loads the local file in /WKWebViewLocalDemo.app/Contents/Resources/test.html PS, We also submit a DTS &amp; Feedback DTS:Case-ID: 11876957 Feedback-ID: FB16493282 sysdiagnose is in the Feedback-ID: FB16493282 is uploaded

Sometimes the Safari App Extension i'm developing does not show up in my Safari Extensions unless i change mu bundle identifier to some unique name. Even if I delete all other apps i've built with the same (and different) bundle ID, the extension is still does not show up. The only solution for me is to always change the bundle ID. For example: Now it is "kopyl.tab-finder-10" If i change it to "kopyl.tab-finder-11", the extension does show up in the Safari extensions settings page again. Is there any other way to fix it?

I am currently developing a Chrome, Firefox and Safari web extension, and I am facing a CSP issue on the content script on Safari. The extension I develop has a content script that injects an img tag in the DOM of web pages the user is visiting. That img tag fetches its content at a specific URL. On Chrome and on Firefox, the img tag content fetches the content at the URL with no issue on every web pages, including those that set the CSP header img-src. On Safari, I'm getting the following error on web sites that set the img-src CSP header: Refused to load https://axxlfrmnpq.cloudimg.io/www.macifavantages.fr/wp-content/uploads/2021/06/Garmin-logo.png?func=bound&w=225&h=113 because it does not appear in the img-src directive of the Content Security Policy. Here is the actual CSP img-src header content of the web page where, on Safari, the injected img tag does not load the content at https://axxlfrmnpq.cloudimg.io/www.macifavantages.fr/wp-content/uploads/2021/06/Garmin-logo.png?func=bound&w=225&h=113: Content-Security-Policy: img-src https://secure.adnxs.com https://www.facebook.com https://.garmin.cn 'self' data: .garmin.com .trustarc.com .truste.com https://static.garmincdn.com https://www.google.com https://www.google.co.uk https://prefmgr-cookie.truste-svc.net https://res.cloudinary.com https://res.garmin.com https://.criteo.com https://.doubleclick.net https://www.googleadservices.com https://px.adentifi.com https://rtb.adentifi.com https://.teads.tv https://www.googletagmanager.com https://bat.bing.com https://.yahoo.com https://sync.outbrain.com https://*.google-analytics.com https://stats.g.doubleclick.net https://static.hotjar.com https://script.hotjar.com .akamaihd.net https://.tealiumiq.com https://deploytealium.com https://pixel.mediaiqdigital.com; My question is, is the page CSP blocking the img tag injected in the web page by the extension's content script? If so, is this behavior documented somewhere, or is it a Safari bug? I saw there is a similar post on the forum, but I couldn't find if the issue is a bug or if it's the expected behavior on Safari: https://developer.apple.com/forums/thread/651542?login=true. Thank you very much for your help.

We have an app store app that hosts an internal webserver we use as a proxy and it works for a period until iOS 18.3.x decides our cert is no longer valid at which point our customer have reinstall the app. This has only become a problem on iOS18.3. We publish the self-signed with out app, and it is valid and accepted until it's not. We know the cert is valid and our implementation of the local proxy has not changed. If we install a cert on the device and trust it, then the app will start behaving normally again without reinstall. We have replicated this locally and the error we are seeing is: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _WKRecoveryAttempterErrorKey=<WKReloadFrameErrorRecoveryAttempter: 0x301111e40>, networkTaskDescription=LocalDataTask <541390E2-65FA-47AB-80B1-10209D6C761A>.<3>, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=( "<cert(0x108e3b700) s: 127.0.0.1 i: 127.0.0.1>", "<cert(0x108e3b980) s: 127.0.0.1 i: 127.0.0.1>" ), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://localhost:8082/Blablal/?device=ios&sftouch=1&pgport=8081&secure=1, NSErrorFailingURLStringKey=https://localhost:8082/blahblah/?device=ios&sftouch=1&pgport=8081&secure=1, NSUnderlyingError=0x301e1d680 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9802, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9802}}, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <541390E2-65FA-47AB-80B1-10209D6C761A>.<3>" ), _kCFStreamErrorCodeKey=-9802, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <541390E2-65FA-47AB-80B1-10209D6C761A>.<3>, networkTaskMetricsPrivacyStance=NotEligible, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x302670a50>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}