There is no plus button ![](" https://developer.apple.com/kr/forums/content/attachment/4c286784-7329-4e31-a5b1-8dd0c9aaf9ad" "title=test.png;width=2330;height=982")

We have written a PAC script that blocklists certain domains and whitelists others. We went to Settings > Network > Wi-Fi (the network we are using), then clicked on Details, and under Proxies, we added the PAC file URL in the Automatic Proxy Configuration section. We tried hosting the PAC file both on localhost and on a separate HTTP server. After saving the settings, we tested several URLs. The blocking and allowing behavior works correctly in all browsers except Safari. Below is the PAC script we are using for your reference. The script works as expected in browsers other than Safari. This is how the PAC script URL looks: http://localhost:31290/proxy.pac function FindProxyForURL(url, host) { var blacklist = new Set(["facebook.com", "deepseek.com"]); var b_list = [...blacklist]; for (let i = 0; i < b_list.length; i++) { let ele = b_list[i] + "*"; if (shExpMatch(host, ele) || shExpMatch(url, ele)) { return "PROXY localhost:8086"; } } if (isIPBlocked(whitelist_subnet, hostIP)) { return "PROXY localhost:8087"; } if (isIPBlocked(blacklist_subnet, hostIP)) { return "PROXY localhost:8086"; } return "PROXY localhost:8080"; }

Our app, VitalSource Bookshelf, is an EPUB reader that uses a WKWebView to display book content. The EPUB content format is XHTML and uses namespaces (for the epub:type declaration). On beta 4, the webkit process repeatedly crashes when loading our content. The crash appears to be in the XML parser. Here's what's at the top of the stack trace: 0 WebCore 0x19166a878 WebCore::XMLDocumentParser::startElementNs(unsigned char const*, unsigned char const*, unsigned char const*, int, unsigned char const**, int, int, unsigned char const**) + 4968 1 libxml2.2.dylib 0x19c5a2bd0 xmlParseStartTag2 + 3940 2 libxml2.2.dylib 0x19c59e730 xmlParseTryOrFinish + 2984 3 libxml2.2.dylib 0x19c59d8e4 xmlParseChunk + 708 4 WebCore 0x191668ec8 WebCore::XMLDocumentParser::doWrite(WTF::String const&) + 636 5 WebCore 0x191665b78 WebCore::XMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl>>&&) + 304 6 WebCore 0x190105db0 WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, std::__1::span<unsigned char const, 18446744073709551615ul>) + 268 7 WebCore 0x190861c3c WebCore::DocumentLoader::commitData(WebCore::SharedBuffer const&) + 1488 8 WebKit 0x18e07ca3c WebKit::WebLocalFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, WebCore::SharedBuffer const&) + 52 9 WebCore 0x190869db4 WebCore::DocumentLoader::commitLoad(WebCore::SharedBuffer const&) + 228 10 WebCore 0x1909521e4 WebCore::CachedRawResource::notifyClientsDataWasReceived(WebCore::SharedBuffer const&) + 268 I was able to reproduce this in Safari on beta 4 just by opening the following trivial xhtml file from the file system - it does the same thing it does in our app, which is reloads and crashes several times, followed by the "A problem repeatedly occurred with..." error message. <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:epub="http://www.idpf.org/2007/ops" epub:prefix="vst: http://vitalsource.com/"><head></head><body class="dash" epub:type="chapter" data-begin-o="0" data-begin-o2="0" data-begin-o3="0" data-o="0" id="eid1844" data-end-o="14703" data-end-o2="14703" data-end-o3="14703"><h2 class="title" data-o="0" id="eid1845" data-out="33"><span class="label" data-o="0" id="eid1846"><span class="label-inner"><b data-o="0" id="eid1847">CHAPTER X</b> </span></span>THE SUBMARINE COAL-MINES</h2></body></html> I've also filed a feedback. But posting here just to raise the visibility - this is critical for us. I think it was introduced in beta 4; that's at least when we first noticed it. It was working in the earlier betas, I just don't remember if I tried beta 3 or not. It happens on iOS, macOS, and iPadOS. This has never been a problem in any earlier release of macOS / iOS.

We are building a hybrid iOS app using Angular (web) rendered inside a WKWebView, hosted by a native Swift app. Communication between the Angular UI and native Swift code is done using WKScriptMessageHandler. The app mostly works without issues, but in rare edge cases, we’re seeing crashes on the main thread, and the crash is reported in Firebase Crashlytics. The root cause appears related to CFRelease and WKScriptMessageHandler. Here’s the relevant crash stack: Crashed: com.apple.main-thread 0 CoreFoundation 0xbfac CFRelease + 44 1 CoreFoundation 0xa734 __CFURLDeallocate + 128 2 CoreFoundation 0x730c _CFRelease + 292 3 libobjc.A.dylib 0x4e28 AutoreleasePoolPage::releaseUntil(objc_object**) + 204 4 libobjc.A.dylib 0x4cbc objc_autoreleasePoolPop + 260 5 WebKit 0x99f194 WebKit::WebUserContentControllerProxy::didPostMessage(WTF::ObjectIdentifierGeneric<WebKit::WebPageProxyIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, WebKit::FrameInfoData&&, WTF::ObjectIdentifierGeneric<WebKit::ScriptMessageHandlerIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>, std::__1::span<unsigned char const, 18446744073709551615ul>, WTF::CompletionHandler<void (std::__1::span<unsigned char const, 18446744073709551615ul>, WTF::String const&)>&&) + 680 6 WebKit 0x1b358 WebKit::WebUserContentControllerProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 392 7 WebKit 0xe86b0 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 272 8 WebKit 0x23c0c WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 44 9 WebKit 0xe3f054 IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) + 252 10 WebKit 0x332d4 IPC::Connection::dispatchIncomingMessages() + 744 11 JavaScriptCore 0x58a7c WTF::RunLoop::performWork() + 204 12 JavaScriptCore 0x599a4 WTF::RunLoop::performWork(void*) + 36 13 CoreFoundation 0x56328 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28 14 CoreFoundation 0x562bc __CFRunLoopDoSource0 + 176 15 CoreFoundation 0x53dc0 __CFRunLoopDoSources0 + 244 16 CoreFoundation 0x52fbc __CFRunLoopRun + 840 17 CoreFoundation 0x52830 CFRunLoopRunSpecific + 588 18 GraphicsServices 0x11c4 GSEventRunModal + 164 19 UIKitCore 0x3d2eb0 -[UIApplication _run] + 816 20 UIKitCore 0x4815b4 UIApplicationMain + 340 21 APP1 0xa2f80 main + 21 (AppDelegate.swift:21) 22 ??? 0x1c234eec8 (シンボルが不足しています) Steps: WebView: WKWebView Message passing: WKScriptMessageHandler → passing data from Angular → Swift WKWebView is long-lived and reused Native is using WKUserContentController.add(_:name:) to register handlers Crashes are intermittent (hard to reproduce), but often follow: Screen sleep/wake Push notification open Angular calling native immediately after resume Questions: Has anyone seen this specific crash pattern involving CFRelease and WKScriptMessageHandler? Are there known WebKit or CoreFoundation bugs related to WKScriptMessageHandler and retained URLs or message content? Thank you for your help!

Our app connects to the headend to get a IDP login URL for each connection session, for example: “https://myvpn.ocwa.com/+CSCOE+/saml/sp/login?ctx=3627097090&amp;acsamlcap=v2” and then open embedded webview to load the page. (Note: the value of ctx is session token which changes every time). Quite often the webview shows blank white screen. After user cancel the connection and re-connect, the 2nd time webview loads the content successfully. The working case logs shows: didReceiveAuthenticationChallenge is called decidePolicyForNavigationAction is called twice didReceiveAuthenticationChallenge is called decidePolicyForNavigationResponse is called didReceiveAuthenticationChallenge is called But the failure case shows: Filed to terminate process: Error Domain=com.apple.extensionKit.errorDomain Code=18 "(null)" UserInfo={NSUnderlyingError=0x11461c240 {Error Domain=RBSRequestErrorDomain Code=3 "No such process found" UserInfo={NSLocalizedFailureReason=No such process found}}} didReceiveAuthenticationChallenge is called decidePolicyForNavigationAction is called decidePolicyForNavigationResponse is called If we stop calling evaluateJavaScript code to get userAgent, the blank page happens less frequently. Below is the code we put in makeUIView(): func makeUIView(context: Context) -&gt; WKWebView { if let url = URL(string: self.myUrl) { let request = URLRequest(url: url) webview.evaluateJavaScript("navigator.userAgent") { result, error in if let error = error { NSLog("evaluateJavaScript Error: \(error)") } else { let agent = result as! String + " " + self.myUserAgent webview.customUserAgent = agent webview.load(request) } } } return self.webview } Found some posts saying call evaluateJavaScript only after WKWebView has finished loading its content. However, it will block us to send the userAgent info via HTTP request. And I don’t think it is the root cause since the problem still occurs with less frequency. There is no problem to load same web page on Windows desktop and Android devices. The problem only occurs on iOS and macOS which both use WKWebview APIs. Is there a bug in WKWebview? Thanks, Ying

When we embed some of the youtube videos are unable to load in the Mobile app but at the same time it works in Website. I need to allow it in both places. I have tried both embed and native sdk for youtube in iOS.

I recently updated my iPhone 12 to iOS 26. It seems there is a bug rendering Safari unable to "add to home screen" any website. Clicking the button displays a blank modal with Add button greyed out.

I'm developing a web extension for Safari on iOS using MV3. The extension is working fine in Chrome, but in Safari I experience some seemingly random issues. I would like to debug it, but here is my problem. I have my iPhone connected via cable to Mac, and it works fine with XCode, so I assume this part is OK. I open Safari or Safari Tech Preview (doesn't matter) on my Mac, developers options are enabled, and in the Develop menu, under my iPhone section, there are things I can debug. There is an entry "[Ext name] - Extension Service Worker" but when I click it, it's empty. Web inspector pops up, but there are no network requests, no logs, nothing. I know the extension is working, because I can stream log to my HTTP server, but I don't see them here at all. I can use console to trigger commands like chrome.storage.local.get(null, console.log) and it shows my local store, so why I don't see any logs? Also, the background script is not visible in the Sources tab, just one weird request: navigator.serviceWorker.register('safari-web-extension://E3449EA7-EC25-4696-8E6C-[ID HERE]/background.js'); </script> Any ideas what went wrong? The entire team of 4 people has the same issue and we can't move forward because of that. Also, the Develop => Service workers or any other menu section doesn't show my service worker. Logs for websites running on my phone are visible and in general web inspector for them works fine.

Hello. I have a project that loads a page using jquery 3.6.3 in WKWebView. When I try this on iOS developer beta 4, WKWebView malfunctions and the page does not load properly. If I remove jquery, the page loads. Even if I update jquery to the latest version, the problem remains the same. This problem did not occur until developer beta 3. The log is as follows. 0x12107c170 - [PID=994] WebProcessProxy::didClose: (web process 0 crash) 0x12107c170 - [PID=994] WebProcessProxy::processDidTerminateOrFailedToLaunch: reason=Crash Error acquiring assertion: &lt;Error Domain=RBSAssertionErrorDomain Code=2 "Specified target process 994 does not exist" UserInfo={NSLocalizedFailureReason=Specified target process 994 does not exist}&gt; 0x121138300 - ProcessAssertion::acquireSync Failed to acquire RBS assertion 'XPCConnectionTerminationWatchdog' for process with PID=994, error: (null) 0x132e00018 - [pageProxyID=9, webPageID=10, PID=994] WebPageProxy::processDidTerminate: (pid 994), reason=Crash 0x132e00018 - [pageProxyID=9, webPageID=10, PID=994] WebPageProxy::dispatchProcessDidTerminate: reason=Crash Failed to terminate process: Error Domain=com.apple.extensionKit.errorDomain Code=18 "(null)" UserInfo={NSUnderlyingError=0x13357de30 {Error Domain=RBSRequestErrorDomain Code=3 "No such process found" UserInfo={NSLocalizedFailureReason=No such process found}}} Failed to terminate process: Error Domain=com.apple.extensionKit.errorDomain Code=18 "(null)" UserInfo={NSUnderlyingError=0x13357f390 {Error Domain=RBSRequestErrorDomain Code=3 "No such process found" UserInfo={NSLocalizedFailureReason=No such process found}}} Failed to terminate process: Error Domain=com.apple.extensionKit.errorDomain Code=18 "(null)" UserInfo={NSUnderlyingError=0x13357d770 {Error Domain=RBSRequestErrorDomain Code=3 "No such process found" UserInfo={NSLocalizedFailureReason=No such process found}}}

In Safari 18.4, when loading https://facebook.com, the browser uses traditional HTTPS over TLS 1.3 (TCP/443), and the SNI is visible in the ClientHello. Our NetworkExtension-based app parses this handshake to extract the domain name. However, in Safari 18.5, the same request to facebook.com now defaults to QUIC protocol (UDP/443) and bypasses TCP/TLS. As a result, we no longer receive the SNI or any domain information, breaking our functionality which depends on SNI parsing from TLS. Expected Behavior: Safari should provide a configuration or fallback mechanism to disable QUIC per-domain or globally. Alternatively, Safari should expose domain name info in a way that respects platform-level filtering tools and extensions. Steps to Reproduce: Open Safari 18.5 Navigate to https://facebook.com Observe that the request uses QUIC (UDP/443) Attempt to extract SNI using NetworkExtension's packet inspection — fails due to QUIC Impact: This behavior breaks endpoint security and monitoring tools that rely on SNI visibility Not backward-compatible with Safari 18.4 Notes: Behavior not observed in Safari 18.4 (domain visible via TLS ClientHello) Observed only for facebook.com and a few other major domains We use a NEFilterDataProvider and NEFilterPacketProvider for analysis

Hello, I find it difficult to find information about this function, but Apple would allow you to download a Wallet ticket via a JWT signed token, without going through a pkpass, by calling the url https://wallet.apple.com/push/pass? Jwt= + jwt I have made several attempts with a different payload, either I am redirected to the Apple Pay presentation page, or I have a 403 error. I think I'm on my way, but I must miss a step in my signature. Could someone help me and give me the structure or how to manage the key? At the moment I use an Identifiers type PassType ID linked to a Certificate. Has anyone heard of this novelty? According to ChatGPT it should date from iOS 16-18 and potentially not be open to all devs. Thank you! Beautiful day

Hi all, Question: Can Apple confirm that, on macOS 15 without MDM/supervision, there is no supported API, entitlement, auth right, or config file that can enable a Safari App Extension without some form of user interaction? Environment • OS / Safari: macOS 15.0.1 (Sequoia), Safari 18.x • Distribution: Signed, notarized, stapled PKG installs a host app that contains a Safari App Extension • Management: No MDM allowed (and thus no supervision) • Goal: Have the extension come up enabled immediately after install, without requiring the user to click the checkbox in Safari Settings ▸ Extensions What we already know / tried Normal install flow – After PKG install, the extension shows up disabled. User must check the box to enable. SFSafariApplication.showPreferencesForExtension(...) – We can deep‑link the user to our row, but they still need to click “Enable.” Accessibility/UI scripting – We can script the click if the user grants our helper Accessibility permission. That still involves user interaction. .mobileconfig with Safari Extensions Management (AlwaysOn) – From what I can tell, this requires a supervised device enrolled in MDM. Installing that profile manually on an unsupervised Mac does not enforce the “AlwaysOn” state. Auth rights / Developer mode – Looked at auth.db rights like com.apple.Safari.allow-unsigned-app-extensions, and the Develop menu “Allow Unsigned Extensions.” Neither appears to auto‑enable a signed extension, and we don’t want to use private/unsupported APIs anyway. Thanks in advance for any clarification.

Hello Apple App Review Team, We are using Privy to enable sign in with Farcaster in our app. Privy is a 3rd party authentication SDK, and it currently opens the authentication URL using the system browser. Unfortunately, this behavior is handled internally by Privy and we do not have access or control to override it in order to present the sign-in flow in-app using SFSafariViewController. We understand the importance of maintaining a seamless and secure user experience, and we fully support the use of SFSafariViewController or ASWebAuthenticationSession. However, since Privy does not expose an option to change this behavior at the moment, we are limited by their current implementation. We have reached out to the Privy team requesting a change or improvement that would allow us to use SFSafariViewController instead of the external browser. In the meantime, we would appreciate your guidance on how to proceed, or whether an exception could be granted due to this 3rd party SDK limitation. Thank you for your understanding and support.

Seeing an issue in some versions of Safari (16.6, 18.3, 18.5) where an APNG converted to AVIF does not support transparency. Instead of a transparent background, the background is filled with black.

It seems that in iOS 18.5+ built with Xcode 16.4+, there has been a breaking change since 18.4 with 16.3 within WebKit and how the navigationAction.sourceFrame property is initialized when implementing the decidePolicy delegate method. The flow goes: Implement a WKNavigationActionDelegate with decidePolicy Call WKWebView.loadHTMLString("some-string", baseURL: nil) Upon loading the HTML content, read the value of navigationAction.sourceFrame within the decidePolicy method of the WKNavigationActionDelegate On iOS 18.4 (and below) with Xcode 16.3 (and below); navigationAction.sourceFrame is <uninitialized> On iOS 18.5+ with Xcode 16.4+: navigationAction.sourceFrame is already initialized and is equal to navigationAction.targetFrame It appears that this change was made between minor versions of Xcode and is unexpected behavior of a minor version. Not only was this not called out in the release notes for Xcode 16.4 and iOS 18.5, but it's technically also a breaking change to the WebKit API. Can we get insight on why this change was made and what Apple's policy is on breaking changes between minor versions of Xcode/iOS?

Summary: Content scripts injected via manifest continue to receive and respond to chrome.tabs.sendMessage() calls even after the user has navigated away from the original page, causing messages intended for the current tab to be handled by zombie contexts from previous pages. Environment: Safari/iOS Version: 18.5 Extension Manifest: Version 3 Expected Behavior: When a user navigates from Page A to Page B: Page A's content script context should be destroyed. chrome.tabs.sendMessage(currentTabId, message) should only reach Page B's content script Only Page B should be able to respond to action button clicks (or other background to content messages). Actual Behavior: When navigating from Page A to Page B: Page A's content script context persists as a "zombie". chrome.tabs.sendMessage(currentTabId, message) reaches zombie context instead of the Page B's one. Hence, it looks like the extension is broken because the content script does not respond to the background messages. Details: Tab ids are properly recognized by both background and content script The problem does not always occur; it occurs on random occasions. It's quite easy to have it reproduced. It can be reproduced easier if user clicks ext icon during site loading (before it fully loaded), triggering ActionClick (ext icon click) event and then sending a msg upon it to the content script Regardless of whether the content script is injected into the tab using manifest.json, registerContentScripts, or executeScript, the problem is still there Once the problem occurs, e.g. user is on macys.com but zombie injected content script believes it's google.com (a previous page), even refreshing the tab doesnt change anything - zombie context is still there (thinking it's still google.com) . Changing a domain to something completely different one could help though. Then going back to macys.com could still lead to the described issue. A zombie content script does not have access to the page's console function and others. Example communication Sending following message from the background to the content script using chrome.tabs.sendMessage() { "tab": { "id": 155, "active": true, "url": "https://www.macys.com/", "title": "Macys.com" } } Results in the content-script zombie context response (the url is taken from the window.location.href) "message": { "type": "ActionClicked", "data": {} }, "response": { "data": { "windowUrl": "https://www.google.com/", "contentReached": true, "timestamp": "1,753,138,945,272", } } }

Chrome's Incognito mode can not open app from universal link on iOS. It's opened a web page instead of launching the app even the app already installed on the iOS device.

I have compiled some Java code to WebAssembly via TeaVM and wrapped it in a PWA. The resulting code runs nicely in Firefox and Chrome but throws an exception in Safari. CompileError: WebAssembly.Module doesn't parse at byte 1657: invalid extended GC op 24, in function at index 2251 Can anybody tell me what's wrong with that code? I mean it can't be so bad if Firefox and Chrome can parse and run it without problems. I am using the most recent versions of all browsers and the offending code can be found here: Run the demo via: https://mpmediasoft.de/demos/Emmentaler/Emmentaler-Demo-TeaVM-Wasm/index.html The offending wasm file is: https://mpmediasoft.de/demos/Emmentaler/Emmentaler-Demo-TeaVM-Wasm/tvw/ModelBridgeTeaVM.wasm With Safari the demo just shows some empty space instead of a complex polygon. You can see the error in the javascript console of Safari.

Thread 0 Crashed: 0 WebKit 0x00000001a1b6bf1c WKMouseDeviceObserver.connectedDeviceCount.setter + 68 (WKMouseDeviceObserver.swift:0) 1 WebKit 0x00000001a1b6bea4 @objc WKMouseDeviceObserver.connectedDeviceCount.setter + 152 2 WebKit 0x00000001a1b6d95c closure #2 in WKMouseDeviceObserver.start() + 80 (WKMouseDeviceObserver.swift:0) 3 WebKit 0x00000001a1b4e3e9 &lt;deduplicated_symbol&gt; + 1 4 WebKit 0x00000001a1b4e139 &lt;deduplicated_symbol&gt; + 1 5 WebKit 0x00000001a1b4e769 &lt;deduplicated_symbol&gt; + 1 6 libswift_Concurrency.dylib 0x0000000196037cdd completeTaskWithClosure(swift::AsyncContext*, swift::SwiftError*) + 1 (Task.cpp:546)

Hi, How are we supposed to handle links with target="_blank" in the new SwiftUI WebView? I don't see anything in WebPage.NavigationDeciding or elsewhere that corresponds to the delegate method used for WKWebView.