My app Frax has long used a mechanism where a local webpage calls out to web-hosted content. In iOS 17.5+ (and iOS 18 beta) this has recently stopped working. The content fails to load, and the console log (running on iOS 17.6.1) contains: nw_application_id_create_self NECP_CLIENT_ACTION_GET_SIGNED_CLIENT_ID [80: Authentication error] Failed to resolve host network app id followed shortly by: Error acquiring assertion: <Error Domain=RBSServiceErrorDomain Code=1 "((target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.rendering AND target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.networking AND target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.webcontent))" UserInfo={NSLocalizedFailureReason=((target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.rendering AND target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.networking AND target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.webcontent))}> 0x128024480 - ProcessAssertion::acquireSync Failed to acquire RBS assertion 'XPCConnectionTerminationWatchdog' for process with PID=9736, error: (null) This same code has worked reliably for years, and continues to work properly under iOS 16 and earlier. But there are increasing reports of this new error showing up around the web. Nothing in recent iOS 17 release notes sheds any light on what might have changed, and all my efforts to troubleshoot or mitigate this issue have failed. Any help on how to solve or work around this would be greatly appreciated!

I have a small example project that ran on both the simulator and a connected iPhone but now it and all other projects are failing with the same error. I am using Xcode 16.0 on MacOS Sonoma 14.6.1., iPhone 11 with iOS 18. Thank you in advance. The error is: Failed to resolve host network app id to config: bundleID: com.apple.WebKit.Networking instance ID: Optional([_EXExtensionInstanceIdentifier: 1163B5D2-09D3-4704-9564-61099502138B]) WebContent process (0x114018680) took 1.375772 seconds to launch GPU process (0x1140a0630) took 1.228457 seconds to launch Networking process (0x114034d00) took 1.426249 seconds to launch 0x105820a20 - [pageProxyID=7, webPageID=8, PID=34786] WebPageProxy::didFailProvisionalLoadForFrame: frameID=1, isMainFrame=1, domain=NSURLErrorDomain, code=-1200, isMainFrame=1, willInternallyHandleFailure=0 Message from debugger: killed Below is the code from one of the examples: import UIKit import WebKit class ViewController: UIViewController { let webView: WKWebView = { let prefs = WKWebpagePreferences() prefs.allowsContentJavaScript = true let configuration = WKWebViewConfiguration() configuration.defaultWebpagePreferences = prefs let webView = WKWebView(frame: .zero, configuration: configuration) return webView }() override func viewDidLoad() { super.viewDidLoad() view.addSubview(webView) guard let url = URL(string: "https://google.com") else { return } webView.load(URLRequest(url: url)) //evaluate JavaScript DispatchQueue.main.asyncAfter(deadline: .now()+5){ self.webView.evaluateJavaScript("document.body.innerHTML") { result, error in guard let html = result as? String, error == nil else { return } print(html) } } } override func viewDidLayoutSubviews(){ super.viewDidLayoutSubviews() webView.frame = view.bounds } }

We're having trouble connecting to local area network websockets in Safari in the latest iOS26 Beta 3 (iPhone 14), both secure and unsecure. Code works < iOS26 & macOS, etc. -- Unsecure behaviour: need to call connectWebSocket() twice, establishes connection reliably. Calling connectWebSocket() once, will sometimes work, sometimes not. -- Secure behaviour: Error in debug console, even though the certificate has been accepted and the page is loaded as https. Error: WebSocket connection to 'wss://192.168.1.81/api/webSocket' failed: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “192.168.1.81”, which could put your confidential information at risk. -- let apiEndpoint = window.location.hostname; if (apiEndpoint == null || apiEndpoint == '') { apiEndpoint = "192.168.1.81"; } function connectWebSocket() { if (webSocket && webSocket.readyState == 1) { return; } if (webSocket) { webSocket.close(); } webSocket = new WebSocket( (window.location.protocol === 'https:' ? "wss://" : "ws://") + apiEndpoint + "/api/webSocket", ); webSocket.onerror = (error) => { console.log("WebSocket error", error); }; webSocket.onopen = () => { console.log("WebSocket connected"); webSocket.send("volume"); webSocket.send("isPlaying"); }; webSocket.onmessage = (event) => { const msg = event.data; if (!msg) return; if (msg.startsWith("volume")) { const volume = parseInt(msg.replace('volume:','')); const slider = document.getElementById("volumeSlider"); slider.value = volume; slider.style.background = `linear-gradient(to right, #007bff ${volume}%, white ${volume}%)`; } else if (msg.startsWith("isPlaying")) { const url = msg.replace('isPlaying:', ''); let matchedEntry = null; let coverToSelect = null; categories.forEach((category, catIdx) => { category.entries.forEach((entry, entryIdx) => { if (entry.url === url) { matchedEntry = entry; coverToSelect = document.querySelector(`.cover[category-idx="${catIdx}"][entry-idx="${entryIdx}"]`); } }); }); if (matchedEntry && coverToSelect) { selectCover(coverToSelect, true); showNowPlayingBar(matchedEntry); const top = coverToSelect.getBoundingClientRect().top + window.scrollY - 150; window.scrollTo({ top, behavior: 'smooth' }); } } }; webSocket.onclose = () => { console.log("WebSocket closed, retrying..."); setTimeout(connectWebSocket, 1000); }; } document.addEventListener("visibilitychange", () => { if (document.visibilityState === "visible") { connectWebSocket(); } }); connectWebSocket();

Hi, I am having issue with WebAssembly not able to load wasm file on Safari web extension. It is showing CompileError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'". It was working fine 2 month ago, my original CPS is "script-src 'self' 'unsafe-eval'". But now it is not accepting 'unsafe-eval', I also tried 'wasm-unsafe-eval' did not work. Is there any changes on Safari browser regarding the CSP for WebAssenbly? Please let me know what CPS value will work. Here is the example code on how I load the WebAssembly wasm file. fetch('test_wasm_lib.wasm') .then(response => { if (!response.ok) throw new Error('Network response was not ok'); return response.arrayBuffer(); }) .then(bytes => WebAssembly.instantiate(bytes)) .then(results => { // Use your WebAssembly instance here console.log('load wasm success') }) .catch(error => { console.error('Error loading WASM:', error); });

I have a working Apple Pay transaction page that works on Safari. But with the new ios 18 update and Apple Pay JS library. I see that a pop up sheet with the scannable code is shown on chrome browser. I tried that. Upon scanning the code with iPhone 15 pro max. The apple pay payment sheet is shown on the phone but with an error Service Unavailable. What do I have to do to make it work? What went wrong? I checked the logs and have no clue of what is failing.

When I download specific files (not limited to a single website), even if I find that the downloaded file size matches the original file size and the downloaded file size no longer changes, Safari still does not stop the download thread, but continues to wait indefinitely. This results in the Safari not terminating the download thread even after the file download is completed, making it impossible to complete the download; The file has not been landed and cannot be obtained. This prevents me from downloading some files. Please fix this problem. In addition, I found that in iOS 18.2, during the process of downloading files on Safari, the synchronization and backup flags appear in the upper right corner of the notification bar. I am not sure if this is an unexpected behavior, but the flag still lingers for a long time after manually canceling the download thread. (the download thread is waiting indefinitely) Feedback Number: [FB16124044]

Hi everyone, We’ve recently run into an issue with Apple Pay on the web and would appreciate some clarification. Background: Previously, we integrated Apple Pay without using the Apple Pay JS SDK. We relied on ApplePaySession.canMakePayments() to check availability, and it worked fine. After Apple announced support for browsers beyond Safari, we switched to the Apple Pay JS SDK. According to Apple’s documentation, we should now use applePayCapabilities() for capability checks in third-party browsers. Our current behavior: We implemented applePayCapabilities(). Initially, it was returning either paymentCredentialStatusUnknown or paymentCredentialsUnavailable. Based on those values, we displayed the Apple Pay button. The problem: About a week ago, on the same device/browser, applePayCapabilities() started returning applePayUnsupported. Setup: MacBook Pro 13-inch (M1, 2020), Google Chrome Version 136.0.7103.93. The Apple documentation says: “Don’t show an Apple Pay button or offer Apple Pay” when the result is applePayUnsupported. However, at the same time, canMakePayments() is returning true. This creates a direct conflict between the two recommendations: canMakePayments() → true ⇒ show the button. applePayCapabilities() → applePayUnsupported ⇒ don’t show the button. Question: What’s the correct approach here? Should we prioritize applePayCapabilities() and hide the button, or is it acceptable to continue relying only on canMakePayments() as the source of truth for showing Apple Pay? Any insights from others who’ve run into this contradiction would be very helpful. Thanks in advance!

Steps to Reproduce 1. Create a native UIViewController with a WKWebView, loading test-1.html (contains position:fixed header that displays correctly). 2. Push another UIViewController also with a WKWebView, this time loading test-2.html. 3. In test-2.html, tap into the to summon the on-screen keyboard. 4. Without calling blur(), perform an interactive swipe-back gesture to go back to the first view controller. 5. Observe that the fixed header in test-1.html is now offset downward by approximately the height of the keyboard and does not return to its original position. demo-link : https://bugs.webkit.org/attachment.cgi?id=476324

Summary: Content scripts injected via manifest continue to receive and respond to chrome.tabs.sendMessage() calls even after the user has navigated away from the original page, causing messages intended for the current tab to be handled by zombie contexts from previous pages. Environment: Safari/iOS Version: 18.5 Extension Manifest: Version 3 Expected Behavior: When a user navigates from Page A to Page B: Page A's content script context should be destroyed. chrome.tabs.sendMessage(currentTabId, message) should only reach Page B's content script Only Page B should be able to respond to action button clicks (or other background to content messages). Actual Behavior: When navigating from Page A to Page B: Page A's content script context persists as a "zombie". chrome.tabs.sendMessage(currentTabId, message) reaches zombie context instead of the Page B's one. Hence, it looks like the extension is broken because the content script does not respond to the background messages. Details: Tab ids are properly recognized by both background and content script The problem does not always occur; it occurs on random occasions. It's quite easy to have it reproduced. It can be reproduced easier if user clicks ext icon during site loading (before it fully loaded), triggering ActionClick (ext icon click) event and then sending a msg upon it to the content script Regardless of whether the content script is injected into the tab using manifest.json, registerContentScripts, or executeScript, the problem is still there Once the problem occurs, e.g. user is on macys.com but zombie injected content script believes it's google.com (a previous page), even refreshing the tab doesnt change anything - zombie context is still there (thinking it's still google.com) . Changing a domain to something completely different one could help though. Then going back to macys.com could still lead to the described issue. A zombie content script does not have access to the page's console function and others. Example communication Sending following message from the background to the content script using chrome.tabs.sendMessage() { "tab": { "id": 155, "active": true, "url": "https://www.macys.com/", "title": "Macys.com" } } Results in the content-script zombie context response (the url is taken from the window.location.href) "message": { "type": "ActionClicked", "data": {} }, "response": { "data": { "windowUrl": "https://www.google.com/", "contentReached": true, "timestamp": "1,753,138,945,272", } } }

I am posting here because we have an urgent issue affecting the operation of our service and are in need of a solution after our own analysis has come up with few answers. Beginning in iOS 18.2.x, we experienced exactly the same issue as the author of this thread, as we are also operating a service that allows for device certificate login for users configured to require one: https://developer.apple.com/forums/thread/767374 The author seems to have resolved the issue but the fix mentioned in the thread did not resolve our problem for iOS devices with iOS 18.2.x installed and the contents of that private support ticket are, of course, not visible to us. Furthermore, we have a different issue that surfaced with the release of iOS 18.3.x. Namely, the issue in iOS 18.3.x is more severe than the one in iOS 18.2.x, in that instead of simply taking a long time for the certificate/identity selection dialog to appear, it simply fails immediately and is returning a “no certificate selected” response to our server. One thing to note here is that, curiously, if we wait for several seconds (about 10-15 seconds) this behavior is not replicated. So, it seems there is potentially something going in the background, and the certificate selection process will only occur successfully like before if we wait. This is a very unideal workaround. After entering user credentials, we have the user navigate to a dedicated certificate authentication page. On the BIG IP side, upon users visiting this page, we have it configured to apply an SSL profile that contains appropriate CAs for the given user, and then requests to the browser that a new connection requiring a certificate be made. We are investigating this by checking logs in in a variety of places: We can verify in BigIP logs that a response is being returned to the server without a certificate included. For the sake of our application, this is handled as a “user did not select a certificate” event, and thus the attempted login is failed. Using the MacOS “Console” application, we are able to see the following logs from the “trustd” process of the target iOS 18.3.x device: Failure case: debug 11:19:49.648581+0900 trustd XPC [com.apple.WebKit[1034]/1#25 LF=0] operation: trust_evaluate (8) debug 11:19:49.648766+0900 trustd complex trust settings anchor Successful case (after waiting 10-15 seconds after initial login page load/before moving to certificate page): debug 11:26:02.803153+0900 trustd XPC [MobileSafari[1031]/1#169 LF=0] operation: trust_evaluate (8) debug 11:26:02.804219+0900 trustd non ev score: 121 <private> There appears to be no attempt by MobileSafari to initiate the display of a certificate selection window in the failure cases. The iOS device is swift to return a response with no certificate selected to Big IP, and the result of “no certificate selected” is thus propagated through Big IP and ultimately to our web service. Does anyone have any advice or information on the following? Recommended tools to gather more data that may be pertinent. Any ideas on changes in iOS 18.2.x+ that could have resulted in the behavior changing as described above? If more information is necessary, I will do my best to supply it. Thank you in advance!

Subject: Apple Pay JS - "Payment Was Cancelled by the User" Issue (Braintree + Server-Side Validation) Issue I am implementing Apple Pay using Braintree with server-side validation. However, when initiating the payment process, I receive the following error: [Log] Payment was cancelled by the user: (apple-pay-test-ucxp.onrender.com, line 286) Additionally, the console logs an ApplePayCancelEvent with: sessionError: {code: "unknown", info: {}} Despite successfully fetching merchant session validation data from the backend and completing merchant validation, the payment process does not proceed. Setup Details Payment Processor: Braintree (Apple Pay integration) Backend API: Fetching merchant session validation via createPaymentSessionGet Payment Processing: Using Braintree nonce tokenization Client-Side Code (Key Sections) session.onvalidatemerchant = async (event) => { try { const merchantSession = await fetch( "https://api.paybito.com:9443/ApplePay/api/apple-pay/createPaymentSessionGet", { method: "GET", headers: { "Content-Type": "application/json" }, } ).then((res) => res.json()); session.completeMerchantValidation(merchantSession); } catch (err) { console.error("Merchant validation failed:", err); session.abort(); } }; session.onpaymentauthorized = async (event) => { try { const payload = await applePayInstance.tokenize({ token: event.payment.token, }); const response = await fetch( "https://api.paybito.com:9443/ApplePay/api/braintree/process-payment", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ nonce: payload.nonce }), } ).then((res) => res.json()); if (response.success) { session.completePayment(ApplePaySession.STATUS_SUCCESS); } else { session.completePayment(ApplePaySession.STATUS_FAILURE); } } catch (err) { console.error("Payment authorization failed:", err); session.completePayment(ApplePaySession.STATUS_FAILURE); } }; Observations Merchant validation completes successfully. The error occurs before onpaymentauthorized executes. Session error code is unknown, making debugging difficult. Questions Has anyone encountered this issue before? Could this be related to how the validation session is fetched from the backend? Is there a way to obtain more meaningful debug information from Apple Pay? Any insights would be greatly appreciated!

Hi everyone, I’m encountering a critical reliability issue with message passing in my Safari Web Extension on iOS 18.4.1 and iOS 18.5. In my extension, I’m using the standard messaging API. The background script sends a message to the content script using browser.tabs.sendMessage(...), and the content script registers a listener via: browser.runtime.onMessage.addListener(handler); This setup has been working reliably in all prior versions of iOS. However, after updating to iOS 18.4.1 and 18.5, I’ve noticed the following behavior: ✅ The content script is successfully injected, and onMessage.addListener is registered (I see logging confirming this). ✅ The background script sends the message using the correct tabId (also confirmed via logs). ❌ The content script’s onMessage listener is not consistently triggered. ⚠️ This issue is intermittent, sometimes the message is received, sometimes it is silently dropped. ❌ No exceptions or errors are thrown in either script, the message appears to be sent, but not picked up from the content script message listener.

Background On iOS 18.4 beta, setting a content inset on a WKWebView causes touch events inside the web view to be offset by the content inset amount. In other words, if the web view has a top content inset of 75 points, I must tap 75 points above the intended element for the touch to register correctly. This makes any web content unusable when a content inset is present. A sample app demonstrating the issue is available here: GitHub - iOS18.4-Webview-Bug. The issue does not occur in iOS 18.3 or 18.2. Bug Report The bug has been reported and fixed at WebKit Bug 289715 and also filed as rdar://147075945. Question Will the fix be included in the upcoming iOS 18.4 beta release (Beta 5) or soon thereafter?

Hi Folks, do you know what happend with the "shape detection API" feature flag on Safari 18.X (IOs 18.X)?... in previous versions (17.X) i enabled the "shape detection API" feature flag and was able to detect codes like mentioned here... https://developer.mozilla.org/en-US/docs/Web/API/Barcode_Detection_API#browser_compatibility I built a PWA (Service Worker) with Angular 18 and facing this issue immediately after updating to IOS 18.0 (I enabled/disabled the flag, restartet the device several times... no success at all) Do you have an Idea what changed or how i can enable that feature again? Thx a lot in advance.. Cheers Martin

Safari 26 close and Refresh buttons not working in Compact tab layout

When configuring a Per-App VPN payload with 250+ Safari domains under a managed app, the VPN does not trigger for the other managed apps(like chrome etc). However, the same VPN successfully starts and works when used with Safari. Reducing the number of Safari domains in the VPN payload resolves the issue, allowing the VPN to trigger for the managed app as expected. Has anyone else faced this issue, and what's the workaround for it?

We enabled WebGPU feature flag on Safari on iOS 18.2. This does give Safari an access to GPU but WKWebView still doesn't have GPU access. Can WKWebView not access GPU through Safari feature flag? Is there some other mechanism through which we can enable GPU access for WKWebView? We are testing gpu access by loading : https://webgpureport.org/ Regards Saalis Umer Microsoft Safari Feature Flag - webgpu = true Safari GPU Access: WKWebView GPU Access:

I don't think the issue is specific iOS 18. We have a web application that runs with IIS Authentication of Windows and Anonymous. Initially the app opens and the user clicks a button and triggers the "401 Challenge" via ASP.NET. The browser presents the Active Directory login, user enters credentials, clicks Sign In, and the browser hangs (may actually be negotiating something). After a few minutes the user is logged into the application. We have done a number of google searches/AI to try to determine what to change and there is no clear solution. Is there anything else to try? This problem is not seen in Chrome on iOS or on a Windows machine. Strangely it is also not seen using BrowserStack with one of their "real" devices. We have other apps that run with just Windows Authorization and this problem is not observed.

Our app encountered a new crash since beta5(23A5308g) released last week,and it seems the crash is not solved yet in beta6(23A5318c).The crash stack below `-[UIView _backing_setPosition:] -[UIView setCenter:] -[_UIEditMenuContentPresentation _displayPreparedMenu:titleView:reason:didDismissMenu:configuration:] ___54-[_UIEditMenuContentPresentation _displayMenu:reason:]_block_invoke -[UIEditMenuInteraction _editMenuPresentation:preparedMenuForDisplay:completion:] -[_UIEditMenuContentPresentation _displayMenu:reason:] -[_UIEditMenuContentPresentation displayMenu:configuration:] ___58-[UIEditMenuInteraction presentEditMenuWithConfiguration:]_block_invoke ___80-[UIEditMenuInteraction _prepareMenuAtLocation:configuration:completionHandler:]_block_invoke ___109-[UITextContextMenuInteraction _editMenuInteraction:menuForConfiguration:suggestedActions:completionHandler:]_block_invoke ___107-[UITextContextMenuInteraction _querySelectionCommandsForConfiguration:suggestedActions:completionHandler:]_block_invoke ***::CompletionHandler<void (WebKit::DocumentEditingContext&&)>::operator()(WebKit::DocumentEditingContext&&) ***::Detail::CallableWrapper<IPC::Connection::makeAsyncReplyCompletionHandler<Messages::WebPage::RequestDocumentEditingContext, ***::CompletionHandler<void (WebKit::DocumentEditingContext&&)> >(***::CompletionHandler<void (WebKit::DocumentEditingContext&&)>&&, ***::ThreadLikeAssertion)::{lambda(IPC::Connection*, IPC::Decoder*)#1}, void, IPC::Connection*, IPC::Decoder*>::call(IPC::Connection*, IPC::Decoder*) ***::Detail::CallableWrapper<WebKit::AuxiliaryProcessProxy::sendMessage(***::UniqueRefIPC::Encoder&&, ***::OptionSetIPC::SendOption, std::__1::optionalIPC::ConnectionAsyncReplyHandler, WebKit::AuxiliaryProcessProxy::ShouldStartProcessThrottlerActivity)::$_1, void, IPC::Connection*, IPC::Decoder*>::call(IPC::Connection*, IPC::Decoder*) IPC::Connection::dispatchMessage(***::UniqueRefIPC::Decoder) IPC::Connection::dispatchIncomingMessages() ***::RunLoop::performWork() ***::RunLoop::performWork(void*) _CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION ___CFRunLoopDoSource0 ___CFRunLoopDoSources0 ___CFRunLoopRun __CFRunLoopRunSpecificWithOptions _GSEventRunModal -[UIApplication _run] _UIApplicationMain main main.m start

Is ServiceWorker supported on WKWebView? As per Mozilla Developer Network(MDN Web) docs[1] its not supported, but our research shows that ServiceWorker becomes available for a domain in WKWebView 1) if the domain is allowlisted in app-bound domains[2] or 2) if app is registered as default browser(this can not be considered for our app as its not a browser). How to enable ServiceWorker on WKWebView? Is adding domain as app-bound domain the right/only way to enable ServiceWorker on WKWebView? We didn't find any official documentation about this. Can WebView get ServiceWorker support by default without enabling app bound domains since that is not an option for our app? Our app needs to support more than 10 domains. Powerful APIs such as JavaScript injection, cookie manipulation, event handlers are by default available to all domains/WebView instances even if App doesn't enable app-bound domains. Is it possible to do same for ServiceWorker? If ServiceWorker can not be supported by default then can Apple provide a feature by which ServiceWorker will be enabled in App for all the domains? Apple enforces maximum of 10 app-bound domains. Is it possible to remove this limit and provide a way to dynamically add to this list at the time of a request? [1] https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker#browser_compatibility [2] https://webkit.org/blog/10882/app-bound-domains/