I have been using the following python library to generate apple map snapshots. has worked fine until about ~12 hours ago - now all I'm getting is "bad request" for any snapshot with overlays. if it's just a snapshot with a defined center and no polyline overlays, it still works. perhaps something has changed with the api's way of parsing percent encoded parameters? it's super irritating that there's no changelog or source code to view. what the heck??? https://pypi.org/project/mapsnap/

Hi, i embedded vimeo video on the website and alreay make it allowfullscreen. However, when i open chrome/firefox on Ipad, the vidoe not showing fullscreen. Also on iPhone, when exit the fullscreen video. It doesnt hide the iframe element. Initially, i hide the iframe and implement button so that when user click on it, the video will display full screen

I want to know will element support an x3d model?

We are encountering a download issue in Safari 18.2 on macOS Sequoia 15.2 where file downloads initiated by our AngularJS application (such as Excel exports) are silently blocked. There are no errors in the browser console, and the download does not occur. Interestingly, after testing on Safari 18.3 with Sequoia 15.3, the downloads worked as expected. However, the problem reappeared on Safari 18.4 with Sequoia 15.4. We suspect that recent changes in Safari’s security or download handling may be preventing downloads triggered via asynchronous JavaScript (e.g., AJAX calls) that are not initiated directly by user interaction. We would appreciate any insights, suggestions, or possible workarounds from the community. Looking forward to your guidance on this matter.

Hello! I have a question about changes in default behavior of Safari related to cookie setting. We had an issue - our Single Sign On login was not working, because of lost cookie on some step of the flow. Only changes in Safari cross-website tracking settings helped to fix the issue So the question is - are there any official documentation about changes in cookie setting policy in Safari on iOS 18?

When our Safari Web Extension makes a api request from its background script (registered via "scripts" in manifest.json, e.g., "background": { "scripts": ["js/background.bundle.js"] }) to our authenticated API endpoint (https://api-domain/user), the Cookie header is not included in the request. This occurs only when the extension is running within a non-default Safari User Profile. This causes our API to treat the user as unauthenticated. The exact same extension code, manifest, and API call work correctly (Cookie header is present and user is authenticated) when the extension is running in the Default Safari User Profile.

I have tried to initialize service workers, but they only work in the WebView. When I open an iframe from that WebView, they do not function. Below is my implementation. Is this an issue because iOS does not support service workers in iframes? Please help me answer this. :man-bowing: self.addEventListener('install', event => { // Apply this service worker immediately self.skipWaiting(); }); const putInCache = async (request, response) => { const cache = await caches.open("v1"); await cache.put(request, response); }; const customCache = async ({ request, preloadResponsePromise }) => { }; self.addEventListener("fetch", (event) => { event.respondWith( customCache({ request: event.request, preloadResponsePromise: event.preloadResponse, }), ); });

Dears, We are facing some issue in ios 18.4.1. Recently some of our end users who updated their ios devices to 18.4.1 have experienced random 403 errors in runtime. as per our analysis, We identified that these errors are associated with "CSRF token mismatch". After successful login, the user's CSRF token is causing issue and it was changed in runtime, this causes the cookie mismatch, and the users is getting 403 errors, and the user session is getting invalid suddenly. let me know if anyone facing the same issue in ios 18.4.1 and let me know Is there any workaround for this issue. Thanks.

私たちはJavaアプリケーション開発者で、iPadOS上でのWebRTCによるカメラアクセスに関して、iPadOS 17.1での挙動について質問がございます。 具体的には、iPadOS 17.1でChromeブラウザを利用し、WKWebView API経由でカメラにアクセスしようとした際、エラーが発生し、カメラ撮影が実行できない現象が発生しております。弊社の調査では、WKWebView APIのnavigator.mediaDevicesプロパティを通じたデバイスアクセスが、Chromeで動作しない可能性が示唆されました。しかし、Safariブラウザでは正常に動作するため、Chromeに固有の制限があるのか、またはiPadOSの設定や仕様に起因するのか判断しかねております。 現在、iPadOS 17.1でのカメラアクセスに関するWKWebViewとWebRTCの仕様やChromeでの制約について、ご見解や解決策についてご教示いただけますと幸いです。 どうぞよろしくお願いいたします。

When I access my website through Safari, I see Deceptive Warning. My website has only html with no styles, just text and my contacts leading to github-like services. I also have an SSL certificate. At the same time, going through online ios emulators, there is no warning, I checked through different versions of ios. I sent many requests to websitereview, but personally I get such a warning.

Hello, I was going through the Apple Pay API documentation and noticed ambiguity on the exact process to complete merchant validation. One of the documentation mentions that the validation url will be Your server posts a request using mutual TLS (mTLS) by calling the Apple Pay server’s Payment Session endpoint. Endpoint (Global) POST https://apple-pay-gateway.apple.com/paymentservices/paymentSession Endpoint (China region) POST https://cn-apple-pay-gateway.apple.com/paymentservices/paymentSession Referencing the url: https://developer.apple.com/documentation/apple_pay_on_the_web/apple_pay_js_api/requesting_an_apple_pay_payment_session whereas the other references that the value should be used as provided by the onvalidatemerchant event object with the property validationURL. Refer: https://developer.apple.com/documentation/apple_pay_on_the_web/apple_pay_js_api/providing_merchant_validation Can someone confirm which is the correct approach to follow ?

There is no problem with the content display of each tab, but the tab bar is completely buggy. If you open 5 or more tabs and browse tabs after the 5, the first 4 tab bars will be completely blacked out, and you don't even know how many tabs you have. If you click on the place where the tab title probably exists, the tab is displayed as if the partial display of the tab bar has been restored. There is no problem with content display. But because it is unclear what tab is open, the browsing experience is at its lowest. If you switch to the tab after the 5th, the first 4 will return to the blackout state again. Of course, it is the latest software configuration at the moment. There is no shortage of memory at 24GB. I recently started developing a Safari extension with AppExtension, but is that due to it?

When user opens a new tab and loads a website, the declarativeNetRequest.getMatchedRules() returns nil and on reloading in the same tab it returns the URLs blocked. Is this an expected behaviour?

Hi, I’m seeking information about the HLS protocol version supported in Safari on macOS. The official documentation only provides details about iOS support. Is there an official document that addresses this? Best regards

When creating an AddtoCalendar (ics, google, yahoo, outlook) Safari detects tracking only for outlook.live and outlook.office via the url used to add an event to the online calendar. I would like to inform web users that if this option is activated and they want to add the event to their online outlook calendar, they will need to temporarily deactivate this security feature! Is it possible to detect this option in jsx? Would there be a solution, like requesting authorisation to locate on a website, to allow only this url or this site (outlook.live or outlook.office) for tracking? I'm obviously thinking of something simple for the web user: a button to click.

Since the transition to iOS 18.4, we have been having an issue where when loading an m3u8 file specified in the src attribute of a video tag in WKWebView, the ts file is loaded repeatedly. Are there any good ideas for this? Also, if there have been any changes to the specifications of WKWebView, we would appreciate it if you could let us know.

test

We are currently implementing the payment flow, and for handling payment details — including card entry and validation — we are utilizing a WKWebView. The webview securely loads the payment provider’s page, ensuring sensitive information such as card numbers are entered and validated directly within the web context. I’d like to clarify that this change has not yet been released to Production. As part of a feature enhancement to our existing payment flow, we are transitioning to a new payment vendor, SnapPay. While trying to load the SnapPay URL embedded within an iFrame in our iOS app, I observed the following error in the Xcode console. While this error may be generic, I wanted to highlight it: 825a18 - [pageProxyID=7, webPageID=8, PID=67346] WebPageProxy::didFailLoadForFrame: frameID=24, isMainFrame=0, domain=NSURLErrorDomain, code=-999 Upon investigating, we compared the headers from our existing payment URL and SnapPay's URL, and found that SnapPay includes the following Content-Security-Policy (CSP) header: Content-Security-Policy: frame-ancestors ... "Content-Security-Policy" value="default-src 'self'; script-src 'self' https://hcaptcha.com https://.hcaptcha.com https://code.jquery.com https://www.gstatic.com https://code.jquery.com/jquery-3.3.1.min.js https://test.lightbox.cardx.com/v1/lightbox.min.js https://www.ssa.gov/accessibility/andi/ https://c.evidon.com 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://hcaptcha.com https://.hcaptcha.com https://fonts.googleapis.com/css https://stage.snappayglobal.com/Resource/ https://www.ssa.gov/accessibility/andi/andi.css 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' *.googleapis.com *.gstatic.com ; connect-src 'self' https://demo1.cditechnology.com https:; form-action https://hcaptcha.com https: 'self' *.ipg-online.com secure.bluepay.com https://test.api.lightbox.cardx.com https://3ds-acs.test.modirum.com/ https://demo1.cditechnology.com/; frame-ancestors https://snappaydirect-perf.fiserv.com 'self' file: https: http; frame-src .snappayglobal.com 'self' https://hcaptcha.com https://.hcaptcha.com https: https://www.google.com .ipg-online.com secure.bluepay.com https://.cardconnect.com https://test.api.lightbox.cardx.com/ https://test.lightbox.cardx.com https://paywithcardx.com/payment/auth.cgi securepayments.cardpointe.com *.cardpointe.com https://3ds-acs.test.modirum.com/ https://www.yokohamatire.com http://uat1-txt.ad.portal.texas.gov https://uat1-txt.ad.portal.texas.gov " After multiple working sessions with the SnapPay team, we were able to confirm that when they disable CSP or remove the frame-ancestors directive, the iFrame loads successfully within our app. However, SnapPay cannot change on their CSP. To enable the iFrame to load in the iOS app, we added the following line of code: webView.configuration.preferences.setValue(true, forKey: "allowFileAccessFromFileURLs"). This resolved the issue with loading the iFrame. Note: the file being loaded is a local .html file,. Before submitting this update to the App Store, I’d like to confirm whether this usage of allowFileAccessFromFileURLs is acceptable for App Store review. I wanted to confirm that with this change is there a security concern for WKWebview?

I'm porting to Safari a Chrome/Firefox Extension that makes use of declarativeNetRequest.updateDynamicRules to remove some HTTP headers from requests to a specific URL. This works mostly fine, except for some headers for which this is not allowed by WebKit, such as the Priority header (which is however served by Safari). An annoying corner-case I found is that of the Cookie header. When trying to remove it from the request by adding the following rule { id: <rule id>, priority: <rule priority>, action: { type: "modifyHeaders", requestHeaders: [{ "header": "Cookie", "operation": "remove" }] }, condition: { urlFilter: <my url>, resourceTypes: ["main_frame", "sub_frame"] } } nothing error is thrown, yet the Cookie header is still being sent. This rule however works for other headers, such as Referer. Changing "Cookie" for "cookie" does not help. Questions: Is there an alternative way of removing the Cookie header from the HTTP request? Is this just a bug in WebKit? Is there any way of removing "unsupported" headers such as Priority? Any help or references are appreciated. Edited: more specific description of the corner-case.

Safari Extension Error: “Non-persistent background content cannot listen to webRequest events.” after macOS 15.4 / Safari 18.4 Update We’re seeing the following error in the Safari Extensions tab after updating to macOS 15.4 and Safari 18.4: “Non-persistent background content cannot listen to webRequest events.” This error did not appear prior to the update, and we haven’t found any official documentation stating that webRequest API is no longer supported in Safari. In our extension (Manifest V3), we are using the webRequest.onHeadersReceived callback to intercept response headers and read updated cookies. While the functionality itself still works as expected. we’re able to access the response headers and this error is now shown in the Extension settings page. We are not seeing this issue in other browsers (Chrome, Firefox) using the same Manifest V3 setup. Is there any plan to deprecate webRequest support in Manifest V3 for Safari? We’d appreciate any clarification or guidance on how to handle this going forward.