I have a Safari extension that plays audio via the javascript AudioContext API. It was working fine under iOS 17 and is now broken under iOS 18. It does not play audio at all. I've tried in both the iOS 18 public beta and the iOS 18.1 developer beta. It is broken in both of them. I've also created Feedback item FB15170620 which has a url attached to a page I created which demonstrates the issue.

It seems Safari 18's fetch() does not include credentials even credentials: include and safari extension has host_permissions for that domain. Is there anyone has this problem? I try to request in popup.js like this: const response = await fetch( url, { method: 'GET', mode: 'cors', credentials: 'include', referrerPolicy: 'no-referrer', } ); and it does not include the cookie from host_permissions. Those code worked in Safari 17 (macOS Sonoma).

We're developing a service that requires webtransport support in the browser. Currently, the only browser that doesn't provide support is the IOS version of Safari. Our current way forward for client use is to flag iphone and ipad as non compliant and recommend either desktop use or android. Is there any ballpark date as to when WebTransport will be included in IOS Safari (- webkit supports webtransport)?

We are encountering an issue where the Safari extension we are developing stops working while in use on relatively new iOS versions (confirmed on 17.5.1, 17.6.1, and 18). Upon checking the Safari console, the content script is displayed in the extension script, so the background script or Service Worker must be stopping. The time until it stops is about 1 minute on 17.5.1 and about one day on 17.6.1 or 18. When it stops, we would like to find a way to restart the Service Worker from the extension side, but we have not found a method to do so yet. To restart the extension, the user needs to turn off the corresponding extension in the iPhone settings and then turn it back on. As mentioned in the following thread, it is written that the above bug was fixed in 17.6, but we recognize that it has not been fixed. https://forums.developer.apple.com/forums/thread/758346 On 17.5.1, adding the following process to the background script prevents it from stopping for about the same time as on 17.6 and above. // Will be passed into runtime.onConnect for processes that are listening for the connection event const INTERNAL_STAYALIVE_PORT = "port.connect"; // Try wake up every 9S const INTERVAL_WAKE_UP = 9000; // Alive port var alivePort = null; // Call the function at SW(service worker) start StayAlive(); async function StayAlive() { var wakeup = setInterval(() => { if (alivePort == null) { alivePort = browser.runtime.connect({ name: INTERNAL_STAYALIVE_PORT }); alivePort.onDisconnect.addListener((p) => { alivePort = null; }); } if (alivePort) { alivePort.postMessage({ content: "ping" }); } }, INTERVAL_WAKE_UP); } Additionally, we considered methods to revive the Service Worker when it stops, which are listed below. None of the methods listed below resolved the issue. ① Implemented a process to create a connection again if the return value of sendMessage is null. The determination of whether the Service Worker has stopped is made by sending a message from the content script to the background script and checking whether the message return value is null as follows. sendMessageToBackground.js let infoFromBackground = await browser.runtime.sendMessage(sendParam); if (!infoFromBackground) { // If infoFromBackground is null, Service Worker should have stopped. browser.runtime.connect({name: 'reconnect'}); // ← reconnection process // Sending message again infoFromBackground = await browser.runtime.sendMessage(sendParam); } return infoFromBackground.message; Background script browser.runtime.onConnect.addListener((port) => { if (port.name !== 'reconnect') return; port.onMessage.addListener(async (request, sender, sendResponse) => { sendResponse({ response: "response form background", message: "reconnect.", }); }); ② Verified whether the service worker could be restarted by regenerating Background.js and content.js. sendMessageToBackground.js export async function sendMessageToBackground(sendParam) { let infoFromBackground = await browser.runtime.sendMessage(sendParam); if (!infoFromBackground) { executeContentScript(); // ← executeScript infoFromBackground = await browser.runtime.sendMessage(sendParam); } return infoFromBackground.message; } async function executeContentScript() { browser.webNavigation.onDOMContentLoaded.addListener((details) => { browser.scripting.executeScript({ target: { tabId: details.tabId }, files: ["./content.js"] }); }); } However, browser.webNavigation.onDOMContentLoaded.addListener was not executed due to the following error. @webkit-masked-url://hidden/:2:58295 @webkit-masked-url://hidden/:2:58539 @webkit-masked-url://hidden/:2:58539 ③ Verify that ServiceWorker restarts by updating ContentScripts async function updateContentScripts() { try { const scripts = await browser.scripting.getRegisteredContentScripts(); const scriptIds = scripts.map(script => script.id); await browser.scripting.updateContentScripts(scriptIds);//update content } catch (e) { await errorLogger(e.stack); } } However, scripting.getRegisteredContentScripts was not executed due to the same error as in 2. @webkit-masked-url://hidden/:2:58359 @webkit-masked-url://hidden/:2:58456 @webkit-masked-url://hidden/:2:58456 @webkit-masked-url://hidden/:2:58549 @webkit-masked-url://hidden/:2:58549 These are the methods we have considered. If anyone knows a solution, please let us know.

Since iOS 18.1 launched as a beta, we've been getting reports from end users on iPhone 15 Pro and iPhone 15 Pro Max specifically. They're reporting that our WebView is unable to load our local HTML content. I'm curious if anyone else has had their app or users run into this issue? So far I've tried installing the most recent XCode Beta 16B5014f and installed an 18.1 emulator, but our app worked fine. It's also working fine on all my real devices, but we don't have a 15 Pro to test on. I'm curious if this is related to the processor on these devices and how they are intended to support Apple's new AI coming in 18.1.

This is my first time to post on this forum. If there are something we didn't notice, please tell me. Thanks. Background We're using canvas to provide a web component to marketing. https://demo.mescius.jp/spreadjs/BenchmarkSample/ Problem Recently we have met an issue from customer. He is using iPad 10th to access the web component but when he tries to scroll it and it's very slow on iPad 10th. His iPad OS version is 17.7 and this issue also can be reproduced on our iPad 10th with iPad OS 18.0.1. But if we use iPad 9th with iPad OS 17.7 and 18.0.1, things are fine and there isn't any performance issue. We developer took some time investigating and found it's because of iPad 10th's safari takes longer time to paint each frame. On iPad 9th, it needs nearly 10ms to paint each frame. But on iPad 10, it needs nearly 70ms to paint each frame. Also we can provide simple code for you to check the different. We tried to simulate the repaint when user is scrolling. You can see on iPad 9th, it will be 2~3ms but on iPad 10th, it will be more than 10ms for each frame. test-ipad10.html It has been happening on iPad 10th only with iPad OS 17.6/17.7/18.0. This will be a big problem for us because it means on the iPad 10th (the latest iPad, non Pro or Air), it can't be used. Question Is there anyone knowing similar issue with this one? And do you know how to solve it on iPad 10?

Hello everyone, I'm working on an app that uses WKWebView. My app uses a custom menu and we disable the default menu by overriding with: WKWebAction.canPerformAction() However, with the new iOS 18.2 release, I am no longer able to override the "Copy Link with Highlight" option that pops up when highlighting a selection as can be seen from the screenshot: Has anyone found a work around/bypass for this? Environment iOS Version: iOS 18.2 Device: iPhone 13 Pro App platform: iOS Xcode version: 16.1 MacOS: 14.5

Hello, I'm using Safari 18.2 on Sonoma 14.6.1. I was using the Developer Tools to do a Local Request Override in the Source tab for a CSS file that had a changing query string. I thought I had a good regular expression to catch all variants, but apparently it was too generic and possibly wrong, and made both Source and Network tabs no longer work in my Safari. The regular expression I entered for the Local Request Override was: //build/style.css(?.*)?$ Now my dev tools is broken to the extent that the Source and Network tabs no longer work. The slide-out panel on Source that shows Breakpoints, LocalOverrides, etc no longer shows. The toggle for it does, but does nothing now. UI in general looks a little wack on both tabs. So, since I can't turn off the Local Request Override, I've been trying to locate where Safari may have stored it to manually delete it. Not having a lot of luck on that front. It seems to me that Safari was unable to escape my regular expression correctly and it then causes additional issue. Just a guess though. Any advice or help in getting Safari Source & Network working again / manual removal of the LocalOverride would be greatly appreciated. I'm fluent in OSX and Linux, but grep was not much help surfacing anything that worked. Thanks in Advance, possibly a Safari bug as well.

Is ServiceWorker supported on WKWebView? As per Mozilla Developer Network(MDN Web) docs[1] its not supported, but our research shows that ServiceWorker becomes available for a domain in WKWebView 1) if the domain is allowlisted in app-bound domains[2] or 2) if app is registered as default browser(this can not be considered for our app as its not a browser). How to enable ServiceWorker on WKWebView? Is adding domain as app-bound domain the right/only way to enable ServiceWorker on WKWebView? We didn't find any official documentation about this. Can WebView get ServiceWorker support by default without enabling app bound domains since that is not an option for our app? Our app needs to support more than 10 domains. Powerful APIs such as JavaScript injection, cookie manipulation, event handlers are by default available to all domains/WebView instances even if App doesn't enable app-bound domains. Is it possible to do same for ServiceWorker? If ServiceWorker can not be supported by default then can Apple provide a feature by which ServiceWorker will be enabled in App for all the domains? Apple enforces maximum of 10 app-bound domains. Is it possible to remove this limit and provide a way to dynamically add to this list at the time of a request? [1] https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker#browser_compatibility [2] https://webkit.org/blog/10882/app-bound-domains/

There does not appear to be any way to use or create iCloud passkeys with a Safari Web Extension, either using the navigator.credentials API in an extension origin webpage such as the popover, or using the AuthenticationServices framework in the SafariWebExtensionHandler. I've setup an associated domain for my plugin, and I know it works for the host application. But I get errors trying to do so in the web extension target. createCredentialRegistrationRequests results in the following error: Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Application with identifier <ID> is not associated with domain <RPID> The other problem, assuming the entitlement works correctly for the web extension, is that there is no NSWindow to use as the presentation target from the SafariWebExtensionHandler. Trying to use the navigator.credentials.create JS API (which is the preferred method, frankly, in a web extension) results in the following error: NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission. Chrome has a great solution for this that I believe should be adopted by Safari. If an extension has host permissions for a relying party it wants to claim, or if it has an associated domain entitlement for it, webauthn operations should be allowed.

I develop a tab manager extension: https://apps.apple.com/ua/app/tab-finder-for-safari/id6741719894 It's written purely in Swift. All Safari interactions are done solely inside a SFSafariExtensionHandler . But now i'm considering adding some features from Google Chrome's Extension API like window switching. Is it possible to add a background.js worker to my existing Safari App Extension to have access to the beginRequest method override inside SFSafariExtensionHandler? Without converting my extension from Safari App Extension to Safari Web Extenion?

I want to migrate from a Safari App Extension to a Safari Web Extension, but don't know how to get rid of the message, telling users that my extension can access their passwords. Here is a message which I see: I was thinking that this might be because all Safari Web Extension get this type of access, but I have a Safari Web Extension which does not require such level of access: Here is the manifest: { "manifest_version": 2, "default_locale": "en", "name": "__MSG_extension_name__", "description": "__MSG_extension_description__", "version": "1.1", "icons": { "48": "images/icon-48.png" }, "background": { "scripts": [ "background.js" ], "persistent": true }, "browser_action": { "default_popup": "popup.html", "default_icon": { "16": "images/toolbar-icon-16.png" } }, "permissions": [ "nativeMessaging", "tabs" ] } and here is the Info.plist file: Here is the entire code of the extension: https://github.com/kopyl/web-extension-simplified

(1) Context: Our project has a login feature via WEBVIEW (using SFSafariViewController) and integrates PassKey on the Web side. The app listens for a successful login by capturing the redirect URL via the delegate of SFSafariViewController. (2) Issue: On iOS &lt; 18.4: The redirect URL is captured with full parameters returned. https://xyz.com/home?session_state=...&amp;code=... On iOS ≥ 18.4: The redirect URL is captured successfully but missing parameters. https://xyz.com/home We currently suspect that the issue originates from the SFSafariViewController framework after the release of iOS 18.4. Has anyone experienced a similar issue? We would also appreciate support from the Apple team.

"The Referer header allows a server to identify referring pages that people are visiting from or where requested resources are being used. " This header is never forwarded to server when the user is browsing the website in a WebView. This is properly maintained by other browsers but not in-app. How do I include it?

使用direct distribution进行分发时，safari web extension 在safari setting 中显示没有权限读取、修改或传输任何网页的内容。 但是我在看公证日志显示插件是正常的公证的 这导致safari extension 无法使用。 公证日志 https://www.coupert.com/img/2025-04-10/notarization-log.json

Safari Extension Error: “Non-persistent background content cannot listen to webRequest events.” after macOS 15.4 / Safari 18.4 Update We’re seeing the following error in the Safari Extensions tab after updating to macOS 15.4 and Safari 18.4: “Non-persistent background content cannot listen to webRequest events.” This error did not appear prior to the update, and we haven’t found any official documentation stating that webRequest API is no longer supported in Safari. In our extension (Manifest V3), we are using the webRequest.onHeadersReceived callback to intercept response headers and read updated cookies. While the functionality itself still works as expected. we’re able to access the response headers and this error is now shown in the Extension settings page. We are not seeing this issue in other browsers (Chrome, Firefox) using the same Manifest V3 setup. Is there any plan to deprecate webRequest support in Manifest V3 for Safari? We’d appreciate any clarification or guidance on how to handle this going forward.

Howdy, WKWebView feature request: allow Fullscreen API without User Gestures similar to ElectronJS' userGesture: true flag that allows devs to bypass user gesture restriction for Fullscreen API and similar executeJavaScript(code[, userGesture]) https://www.electronjs.org/docs/latest/api/web-contents#contentsexecutejavascriptcode-usergesture afaik this is allowed because of a fairly recent update to Chromium that also allows users to give Fullscreen API permissions per domain https://chromeos.dev/en/posts/using-the-fullscreen-api-without-gestures Would be greatly useful for a use case in my cross-platform app, so I can avoid rewriting all platforms to use Chromium Thanks

I'm running apache with following configuration. /cc require TLS client certificate / not require TLS client certificate Starting with ios 18.4, accessing /cc after / fails with following error: AH02261: Re-negotiation handshake failed, referer: https://www.example.com/... SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification? It seems like ios 18.4 does not support TLS re-negotiation. (It worked with ios 18.3 and before) Is this an expected behavior or a bug?

"We have a multi-tenant EdTech platform serving over 1500 clients, each with a unique domain (e.g., client1.eduapp.com). We use WKWebView in a native shell. Due to WKAppBoundDomains restriction, we can't dynamically list all domains. How can we support dynamic tenants while maintaining cookie persistence" "Can Apple suggest a best practice or alternative approach for apps using WebView/PWA shell architecture across multiple client domains?" Problem: We cannot predefine all 1500 domains in WKAppBoundDomains due to limitations. As a result: Service workers fail to register, breaking PWA functionality Ex: Offline.

Hi all, I'm currently working with WKWebView and implementing the WKNavigationDelegate protocol. In particular, I'm trying to inspect the sourceFrame of a WKNavigationAction to make navigation policy decisions based on the frame's URL path. Here's the relevant Swift code inside decidePolicyFor: public func webView(_ webView: WKWebView, decidePolicyFor navigationAction: WKNavigationAction, preferences: WKWebpagePreferences, decisionHandler: @escaping (WKNavigationActionPolicy, WKWebpagePreferences) -> Void) { // ... let sourceFrame: WKFrameInfo = navigationAction.sourceFrame let request: URLRequest = sourceFrame.request // <- SIGABRT occurs here // ... } The issue is that the app crashes with a SIGABRT at runtime when attempting to access sourceFrame.request. According to Swift's type system, neither sourceFrame nor its request property are optional, so at first glance this seems safe. However, the crash report suggests otherwise. From the crash log, it appears that the issue arises during the bridging from Objective-C to Swift: Thread 1 Queue : com.apple.main-thread (serial) #0 0x00000001a127a030 in static Foundation.URLRequest._unconditionallyBridgeFromObjectiveC(Swift.Optional<__C.NSURLRequest>) -> Foundation.URLRequest () #1 0x00000001056c48b0 in CustomWebViewController.webView(_:decidePolicyFor:preferences:decisionHandler:) #2 0x00000001056c4c78 in @objc CustomWebViewController.webView(_:decidePolicyFor:preferences:decisionHandler:) () #3 0x00000001b8c66e0c in WebKit::NavigationState::NavigationClient::decidePolicyForNavigationAction () #4 0x00000001b8fd14dc in WebKit::WebPageProxy::decidePolicyForNavigationAction () #5 0x00000001b8fcfc7c in WebKit::WebPageProxy::decidePolicyForNavigationActionAsyncShared () #6 0x00000001b8fcfb18 in WebKit::WebPageProxy::decidePolicyForNavigationActionAsync () #7 0x00000001b87ddaa0 in WebKit::WebPageProxy::didReceiveMessage () #8 0x00000001b869f474 in IPC::MessageReceiverMap::dispatchMessage () #9 0x00000001b878dda4 in WebKit::WebProcessProxy::dispatchMessage () #10 0x00000001b878d614 in WebKit::WebProcessProxy::didReceiveMessage () #11 0x00000001b869e7e4 in IPC::Connection::dispatchMessage () #12 0x00000001b869e358 in IPC::Connection::dispatchIncomingMessages () #13 0x00000001b9a96a44 in WTF::RunLoop::performWork () #14 0x00000001b9a96688 in WTF::RunLoop::performWork () #15 0x00000001a2428b9c in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ () #16 0x00000001a24289b4 in __CFRunLoopDoSource0 () #17 0x00000001a2428810 in __CFRunLoopDoSources0 () #18 0x00000001a2429190 in __CFRunLoopRun () #19 0x00000001a242ad4c in CFRunLoopRunSpecific () #20 0x00000001ef705454 in GSEventRunModal () #21 0x00000001a4e45890 in -[UIApplication _run] () #22 0x00000001a4e10cec in UIApplicationMain () #23 0x00000001a4ef261c in ___lldb_unnamed_symbol275689 () #24 0x00000001059a5104 in static UIApplicationDelegate.main() () #25 0x00000001059a5074 in static AppDelegate.$main() () #26 0x00000001059a82ec in main () #27 0x00000001c940af0c in start () This implies that while Swift treats sourceFrame.request as non-optional, the underlying Objective-C implementation may actually return nil—leading to a crash when the non-optional Swift type attempts to force unwrap it. My question: Is there a way to safely access navigationAction.sourceFrame.request —- or determine if it’s nil—before Swift attempts the implicit bridging from Objective-C? Or is there an established workaround for safely inspecting this property? Any guidance or best practices for avoiding this crash would be greatly appreciated! Thanks in advance.