Good day, I'm attempting to check whether Apple Pay is available using the ApplePay JS API. Prior to upgrading to Safari 18.0+, I was using window.ApplePaySession.canMakePayments to show/hide the Apple Pay option. I've noticed with the new Safari version, the preferred method of checking the availability of Apple Pay is by using the applePayCapabilities method. When logging and inspecting the window object in Safari 18.0.1, this method seems to be missing from the ApplePaySession object. Additionally, my conditional code which is dependent on applePayCapabilities does not execute: if (typeof window !== 'undefined' && window.ApplePaySession) { // Safari version 17 and lower if (window.ApplePaySession.canMakePayments) { // set Apple Pay available } /** * On Safari version 18 and higher, we must check whether a user has a card saved in their wallet. * If this is the case, Apple Pay must be presented as the primary payment method. In our case, * this means selecting Apple Pay as the default payment method. */ if (window.ApplePaySession.applePayCapabilities) { const merchantIdentifier = '***'; const promise = window.ApplePaySession.applePayCapabilities( merchantIdentifier ); promise.then(capabilities => { switch (capabilities.paymentCredentialStatus) { case ApplePayCapabilities.CREDENTIALS_AVAILABLE: // set Apple Pay as available and default break; case ApplePayCapabilities.UNSUPPORTED: // not available break; default: // set Apple Pay as available only } }); } } I feel I'm missing something very simple here, help would be greatly appreciated!

For many years, I've noticed that although in native code I can handle continuous and simultaneous Apple pencil and touch inputs using UIKit, Safari and WKWebView's PointerEvents only seem to allow you to use one input type at a time. i.e. Apple Pencil down blocks touch input until lifted and touch input blocks Apple Pencil input. It's as though requiresexclusivetouchtype has been set in the underlying webkit implementation. There's decades of research (e.g. https://dl.acm.org/doi/10.1145/1866029.1866036 ) and several existing native applications in production showing that multimodal inputs open-up many unique and useful applications and interactions. Even a simple "hold object with finger" + "draw with stylus" controls are the norm. I recently built a native application using multimodal simultaneous inputs, but this is impossible to port to web due to the unexpected behavior of PointerEvents (and touch events, and mouse events; any variant exhibits the same behavior). I've researched and attempted to apply every possible flag, change, and css code to get this working, but I think the behind-the-scenes implementation is what's blocking the simultaneous touch types. This is unexpected and undesired behavior because it's inconsistent with the native behavior. If it's unintended, it's a big priority to fix for creating better user experiences on the iPad. If it's intended, I do not believe that's reasonable (even if it might be more complex and used for more advanced applications). Please expose a way to support simultaneous touch types in iPadOS/iOS in both Safari and WKWebView. At minimum, may we have a discussion on how to support the desired behavior? The simplest solution I can think of is to provide a webkit-platform-specific boolean in Safari and WKWebView called requiresExclusiveTouchType, which is set to False by default to keep the current behavior, and settable to True to get the more flexible behavior I'm expecting.

Hi, this is my first post in the community, so please correct me if i am posting this somewhat in a wrong manner. Im using my Apple M1 Pro(14inch, 2021) and installed the os 26 yesterday. Today, I was using Safari, and all of sudden it gets frozen, then the following window popped up. Is this something expected? i.e. my usage is somewhat unusual or is there any report around potential memory leak in Safari? appreciate any suggestions, as Safari is my main browser and currently on hold due to this issue. Thanks

PLATFORM AND VERSION iOS Development environment: Xcode 16.2, macOS 15.3.2 Run-time configuration: iOS 15-18 This happens in iOS, and leads to to the hybrid home page showing users as wrongly unauthenticated, since the at cookie is missing. For context, we have a JWT token that is stored in the Keychain, and on app launch, before any WKWebViews are created, we synchronize this to the WKWebsiteDataStore as an at cookie. We have analytics instrumentation on our websitef to show that WKWebView randomly refuses to send out any cookies. – The following is a snippet from an explanation to the WebKit Slack: We are having an issue on iOS, in which WKWebView loads pages (and even subsequent reloads) without any cookies, even though we have stored cookies in WKWebsiteDataStore.default() before hand right after application launch and becoming a key window. We reference this object, store it as a singleton, (as well as a process pool), and then all webview configurations are initialized with the same data store, the same process pool, every call on the main thread. From reading the source code, it seems that if the internal IPC logic fails, the APIs for deleting and setting data records and cookies fail without any feedback in completion handlers. This bug often happens when returning from the background on iOS after a few hours. Sometimes it happens on cold launches of the app. We have mitigated a similar issue (no cookies being sent) by implementing webViewWebContentProcessDidTerminate and reloading the webview ourselves, we found that whatever webview does to reload if that method is not implemented leads to cookies not being used. There have been multiple reports of WKWebView losing cookies in recent iOS versions, and we have tried to implement all of the workarounds listed. Setting a maximumAge to the cookies we store, and doing a _ = await websiteDataStore.dataRecords(ofTypes: Set([WKWebsiteDataTypeCookies])) before accessing or modifying websiteDataStore.httpCookieStore Question: is it safe to work with WKWebsiteDataStore before a WKWebView is added as a view, if so are there any timing considerations? Are there any logs that we can take a look at, this issue is very hard to reproduce, about 2% of our users face it at scale? Is there anything that could be happening within our process (runloop issues, timing) that could be causing this issue? See multiple reports from other companies that have faced the issue: "Now the Thermonuclear Problem with WKWebViewDataStorage" https://medium.com/axel-springer-tech/synchronization-of-native-and-webview-sessions-with-ios-9fe2199b44c9 STEPS TO REPRODUCE They don't exist, because the issue only happens at scale. We just know that no cookies are sent for a small percentage of requests. We believe this to be an issue in which Webkit fails to communicate internally with whatever IPC mechanisms it has. We have not been able to reproduce this issue consistently. The best we can give is that it happens after a few hours that the app is in the background. This happens regardless of whether the WKWebsiteDataStore is persistent or not, but seems to be much worse when it is persistent. Thus we have disabled persistnet data stores and relied on nonPersistent. The issue is bad enough that we are trying to move away from relying on cookies for iOS and just use request headers which we can only set on the top level request of WKWebView. DTS Case-ID: 13154329

We are trying to retrieve merchant tokens from ApplePay. We used the javascript codes from Apple Pay demo site to request for a recurring payment from the frontend. "recurringPaymentRequest": { "paymentDescription": "A description of the recurring payment to display to the user in the payment sheet.", "regularBilling": { "label": "Recurring", "amount": "4.99", "paymentTiming": "recurring", "recurringPaymentStartDate": "2023-08-11T11:20:32.369Z" }, "trialBilling": { "label": "7 Day Trial", "amount": "0.00", "paymentTiming": "recurring", "recurringPaymentEndDate": "2023-08-11T11:20:32.369Z" }, "billingAgreement": "A localized billing agreement displayed to the user in the payment sheet prior to the payment authorization.", "managementURL": "https://applepaydemo.apple.com", "tokenNotificationURL": "https://applepaydemo.apple.com" } Payment was successful, but merchantTokenIdentifier is not shown in the in decrypted ApplePay token, regardless of test card used. We tried Visa and MasterCard.

Hello, I've encountered a problem in Safari where if I have an application hosted locally, it causes the files of dependencies such as CSS, JS, SVG. etc. to not load. Interestingly, every time the same page refreshes, different files are not loaded and it is very random which files are not loaded at which time. The error I see in the console is "Failed to load resource: unable to parse response" and for websockets I get: "WebSocket connection to 'ws://127.0.0.1:8000/socket.io/?EIO=4&transport=websocket&sid=MuZEbWIVEKZ2OJZAAABi' failed: WebSocket is closed before the connection is established.". Interestingly, the problem only appears when the application is hosted locally, when it is hosted in the cloud, the problem does not appear. Similarly, the problem only appears in Safari. I'm using macOS 15.0 (24A335) and Safari version 18.0 (20619.1.26.31.6). Have you encountered such a problem and do you have any idea how to solve this problem? Thank you for your reply.

Hey there guys! I'm new to this, and have been learning JavaScript on Udemy. I'm trying to do everything inside of Safari, instead of using Chrome. But I'm stuck on something that I feel is kind of small, but has been nagging at the back of my brain. When I go to the 'Inspector Developer Tools' (command + option + i), then go to 'Sources', and go to 'Console Snippets', I'm trying to figure out how to delete any JavaScript files from the Console Snippets selection. In Chrome, when you navigate to the Chrome equivalent, if I right click on the file, there's an option to remove the file, but on Safari the only option I get is to Run Console Snippet. Does anyone know how to remove or delete a JavaScript file from the Console Snippets section in Safari? I have no extensions installed.

Hi, We have configured WKAppBoundDomains and are using limitsNavigationsToAppBoundDomains to enable Service Workers, which works perfectly. However, we are now unable to load a WKWebView with any domain that is not included in the app-bound domains. For these other WKWebView instances, we have explicitly set config.limitsNavigationsToAppBoundDomains = false, but it doesn’t seem to have any effect. We don’t require access to the restricted APIs enabled by app-bound domains for these instances—we simply want them to load and perform basic website functionality. Is there a way to enable Service Workers selectively in some WKWebView instances while allowing others to remain unaffected by the App-Bound Domains restriction? Thank you for your help! Best regards, Rose Ding

I'm tasked with securing a Safari browser extension that my organization created. It is using WebExtensions and has been launched across various browser extension stores, including Safari. I've searched for many hours on this and find very very little information on how to secure it. (Pretty much just https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy.) Is there anything more extensive/comprehensive? I'll be dealing with Safari Desktop as well as Safari iOS. By comparison, when looking for resources for securing the Firefox version of the extension, I found https://extensionworkshop.com/documentation/develop/build-a-secure-extension/, which I think is a great resource. Some of that content applies to Safari, but it's hard to know to what extent. I'll need to secure Safari web and Safari mobile (i.e. iOS), but for now I'm focused on web. (But if you have anything on mobile, then please let me know also.) Thank you!

I am a newby to JavaScript, suggested to me to use to automate the task of opening of a Web page, selecting three internal buttons in sequence to download the underlying chart data. I have created the App via Automator on macOS, to run the Script, successfully open the Web Page, but cannot find a way to select and click() on the buttons. Can someone please help me. Robert. This is the code suggested by Grok 3 Beta, but I see this error: Error: First parameter passed to Document Constructor must be an object. function run(input, parameters) { var Safari = Application('Safari'); Safari.activate(); // Open the AEMO data dashboard (Grok 3 Beta recomendation opens the web page correctly) Safari.Document().make(); Safari.windows[0].currentTab.url = 'https://www.aemo.com.au/energy-systems/electricity/national-electricity-market-nem/data-nem/data-dashboard-nem'; delay(10); // Wait for page to load // Click the Fuel Mix tab (target the active in the tabs) Safari.Document(0).doJavaScript("document.querySelector('.tabs .active').click()"); delay(5); // Wait for tab content to load // Select 48 hrs from the dropdown Safari.Document(0).doJavaScript("document.querySelector('#interval').value = '48H'; document.querySelector('#interval').dispatchEvent(new Event('change'))"); delay(5); // Wait for selection to take effect // Click the download button Safari.Document(0).doJavaScript("document.querySelector('.visualisation-icon-button').click()"); return input; }

How to allocate the width of each column when customizing the rendering of HTML tables on iOS with limited screen width

How to handle it? regular downloads I already go working through Navigation and download delegates

When the “Use Strong Password?” dialog appears and I select “Not Now” to manually enter my own password, the password I type is displayed in plain text instead of being masked. Since the input field is of type="password", the entered characters should be hidden as is standard for password inputs. Is there a way to prevent this behavior and ensure that the password is properly hidden even after dismissing the strong password suggestion dialog?

On iOS 18 only, I've been getting this error from the didFailToContinueUserActivityWithType in AppDelegate, the activity needed for universal links. It didn't happen on previous versions of it. Has anyone encountered this ?

I have noticed that storage.local.get API works differently in Safari 18 compare to other browsers and Safari 17. browser.storage.local.set({abc: 123}) browser.storage.local.get(console.log) // {abc: 123} browser.storage.local.get({abc: null}, console.log) // expect {abc: 123} but got undefined instead. According to MDN, storage.local.get should work with an object with object names as keys and the default value as value. According to Safari 18 Release notes, this may be related to a fix: 'Fixed getting an empty key from storage. (99440265) (FB11427769)'.

We’re encountering an issue when trying to add non-standard headers to outgoing requests using Declarative Net Request (DNR) rules in our Safari Web Extension. Tested on macOS 15.4 with Safari 18.4. Specifically, when attempting to add a custom header such as "X-Custom-Header" using a DNR rule, the header does not appear in the request. We are able to add standard headers like "Authorization" and "Cookie" to the request successfully using the same method. This behavior suggests that Safari may be filtering or blocking non-standard headers when set via DNR rules, unlike other browsers. In Chrome and Firefox, the same rule adds the "X-Custom-Header" header without any issue. We are looking for assistance in fixing these issues and having our Safari Extension function the same as it does in Firefox and Chrome.

Problem As the title says, Safari lost all my tabs once I updated to macOS 15.4. I do of course have "Safari opens with: All windows from last session" set. This has been my default for many years. Past Mitigation In the past I had a script that I could use to backup ~/Library/Safari that would save all my bookmarks and tabs. Unfortunately they made this method of backup non-function sometime around when tab groups were introduced. Suggestion Fortunately my tab groups are still intact. But this sort of problem doesn't give me a lot of confidence. I haven't had something like this happen in a while, but when it does happen, it's quite frustrating. Apple really needs to recognize that this sort of thing can and will happen and they should make it easier for users to manually save/restore their tabs. Problem with forums To add insult to injury, as I was typing this message in the forum, I decided to select "Edit Bookmarks"... which proceeded to replace the current window with my bookmarks, thereby losing my post! It did this without warning of page content changes (which I get from most other websites). I felt somewhat relieved that the forum had recognized a previous draft and offered for me to continue. However, when I selected it, it brought me back to an old post... that was actually posted! smh

A DNR rule with lower priority is being applied before a DNR rule of higher priority on Safari. Specifically, a low-priority DNR block rule that matches a request is being applied before a high-priority DNR redirect rule that matches the same request, preventing the redirect from occurring. The only way to get the high-priority redirect rule to occur is to remove the DNR block rule. This does not occur on other browsers. I have already submitted a Feedback Assistant report about this bug: FB16535579 How to reproduce: Create/install a web extension on Safari with the declarativeNetRequest and declarativeNetRequestWithHostAccess permissions Open the Web Extension Background Content console and add a redirect rule with a high priority number. For example: await chrome.declarativeNetRequest.updateDynamicRules({addRules: [ {id: 5000, condition: {urlFilter: "||www.google-analytics.com*/ga.js", resourceTypes: ["script"], domainType: "thirdParty"}, priority: 80, action: {type: "redirect", redirect: {url: “http://www.apple.com/”}}} ]}) Add a block rule of lower priority for the same urlFilter: await chrome.declarativeNetRequest.updateDynamicRules({addRules: [ {id: 5001, condition: {urlFilter: "||www.google-analytics.com^", domainType: "thirdParty"}, priority: 1, action: {type: "block"}} ]}) Visit https://efforg.github.io/privacybadger-test-fixtures/html/ga_surrogate.html Check the network tab and see that neither a request to Google Analytics nor apple.com appear. This means that the request to Google Analytics was blocked instead of being / before being redirected Remove the block rule: await chrome.declarativeNetRequest.updateDynamicRules({removeRuleIds: [5001]}) Reload https://efforg.github.io/privacybadger-test-fixtures/html/ga_surrogate.html. Check the network tab and confirm that there is a request to apple.com, showing that the redirect rule is only applied if the lower-priority block rule is removed. The priority of the DNR rules should handle this without having to remove a DNR rule. I have confirmed that the incorrect application of DNR rule priority happens on other top level domains, with other urlFilters, and with other redirect URLs. I confirmed that this is happening while I’ve granted my extension permissions on all websites.

When configuring a Per-App VPN payload with 250+ Safari domains under a managed app, the VPN does not trigger for the other managed apps(like chrome etc). However, the same VPN successfully starts and works when used with Safari. Reducing the number of Safari domains in the VPN payload resolves the issue, allowing the VPN to trigger for the managed app as expected. Has anyone else faced this issue, and what's the workaround for it?

Safari 18.2 on Sequoia 15.2 sends repeated Authorization header when iCloud Relay is enabled and the page is reloaded. Inside Safari Preferences -> Privacy -> Hide IP address -> from Trackers and Websites (ensure this is enabled) Visit a website that uses HTTP Authorization and authenticate oneself Reload website a couple of times and it will result in an HTTP 400 error due to repeat Authorization header sent by Safari