Hi, I am having issue with WebAssembly not able to load wasm file on Safari web extension.
It is showing CompileError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'".
It was working fine 2 month ago, my original CPS is "script-src 'self' 'unsafe-eval'". But now it is not accepting 'unsafe-eval', I also tried 'wasm-unsafe-eval' did not work.
Is there any changes on Safari browser regarding the CSP for WebAssenbly? Please let me know what CPS value will work.
Here is the example code on how I load the WebAssembly wasm file.
fetch('test_wasm_lib.wasm')
.then(response => {
if (!response.ok) throw new Error('Network response was not ok');
return response.arrayBuffer();
})
.then(bytes => WebAssembly.instantiate(bytes))
.then(results => {
// Use your WebAssembly instance here
console.log('load wasm success')
})
.catch(error => {
console.error('Error loading WASM:', error);
});
Post
Replies
Boosts
Views
Activity
It seems Safari 18's fetch() does not include credentials even credentials: include and safari extension has host_permissions for that domain.
Is there anyone has this problem?
I try to request in popup.js like this:
const response = await fetch(
url,
{
method: 'GET',
mode: 'cors',
credentials: 'include',
referrerPolicy: 'no-referrer',
}
);
and it does not include the cookie from host_permissions.
Those code worked in Safari 17 (macOS Sonoma).
Hi! We are having a hard time with the universal link, help is appreciated! Thanks in advance!
The universal link doesn't work after installation for some time. A user has to wait for from 5 to a couple of hours after the app is installed on the device.
This has also affected App reviewers since we need the universal link to work for successful login. Each submission will receive a rejection of we cannot login and it will be approved until we kindly ask them to try again.
I believe the JSON is delivered to devices by Apple's CDN system and the fact that it works on most devices most of the time should imply that we have a valid apple-app-site-association setup.
So I am really confused about the wait time, which is giving us trouble with app review and a bad user experience
Is it possible to enable/disable the enabled flag before the extension is loaded? we want to have a button in our app which controls the availability of the content blocker ruleSet in declarative_net_request in manifest (version 2).
"declarative_net_request": {
"rule_resources": [
{
"id": "ruleset_1",
"enabled": true,
"path": "ruleset_1.json"
}
]
},
Safari cannot open the page due to the error 'WebKit encountered an internal error.' We are using https://github.com/stleamist/BetterSafariView.git, and it was working fine before we updated to Xcode 16.
We are using manifest version 2, and currently some dynamic ads which come under the #document (documentURL) are not getting fetched and we are not able to block.
is there an alternative for onBeginRequest in iOS Safari? How can we fetch the dynamic URLs otherwise?
We have observed that blocking content using Safari web extension does not fetch few URLS within the #document (documentURLs) because the onBeforeRequest webextension API is currently not available in Safari iOS.
But it works fine using the Content blocking extension.
We have a list of URLs which we want to block from the website. Which extension would you suggest the Content blocking extension or the Safari web extension?
I am using two iPhone11 devices, having iOS v17.6.1 for automation testing using Seleniumv4.X-Appium v2.x.
Today I updated the mac to Sequoia15 version which updated the XCode to v16.
Just after this update, I could not able to run the previously running automation script. The console message is "org.openqa.selenium.SessionNotCreatedException:
Could not start a new session. Response code 500. Message: Unable to launch WebDriverAgent. Original error: xcodebuild failed with code 70. This usually indicates an issue with the local Xcode setup or WebDriverAgent project configuration or the driver-to-platform version mismatch."
Hi everyone,
I’m working on an iOS app using WKWebView, and I have a specific use case involving cross-origin iframes and form autofill. I’m wondering if it’s possible to programmatically fill input elements, such as credit card numbers, within a cross-origin iframe loaded in a WKWebView.
I understand that due to the Same-Origin Policy, direct DOM manipulation of cross-origin iframes is restricted. However, I’m curious if there are any methods or workarounds that might allow me to achieve this, specifically within the context of WKWebView. Thanks.
Flutter web view- I am downloading assets from server and using that assets to create html file to load on web view.
I downloaded them to the local document directory on the device. From there I can load the HTML files in a webview using the file:// schema, with the benefit that images, css etc. that are referenced in the HTML are loaded as well.
This works fine in Android (simulator and real device) as well as in an iOS simulator.
But on an iOS device the flutter webview fails to load assets , images & css files with a relative URL from local directory.
This is strange as the iOS simulator should behave the same in that case (as it is not really a hardware related issue).
Help me out from this issue.
Hello!
We have been testing the upcoming Safari 18 on macOS 15 Sequoia betas and noticed one inconsistent detail about Safari Web Extensions support compared to other browser which implement Web Extensions (Chrome, Edge, Firefox).
Background
We have a Safari Web extension which is monitoring navigation events using browser.tabs.onUpdated API.
navigation event subscription code sample
browser.tabs.onUpdated.addListener((tabId, changeInfo, details) => {
onTabUpdated(tabId, changeInfo, details)
});
navigation event handling code sample
onTabUpdated(tabId, changeInfo, details) {
console.log(`onTabUpdated: ${tabId}`, changeInfo, details);
// check URL in the tab for safety
}
});
If the extension detects that the user navigates to an unsafe URL, it redirects the user to a page hosted by the extension. It's an HTML resource from the extension bundle. The extension is using browser.tabs.update API to redirect a specific tab to an internal page.
const internalPage = browser.runtime.getURL("popup.html");
browser.tabs.update(tabId, { url: internalPage });
Discovered problem
When we use browser.tabs.update API
browser.tabs.update(tabId, { url: internalPage });
to redirect the user from an unsafe page, we notice that the redirected tab changes its identifier.
We know that is the case because we see another API firing. It's called browser.tabs.onReplaced. We have a similar subscription for those events.
When the page is redirected, the onTabReplaced handler is firing and informs us about the tab ID change after the redirect.
onTabReplaced(addedTabId, removedTabId) {
console.log(`onTabReplaced: ${removedTabId} -> ${addedTabId}`);
}
This is problematic for us in several ways:
The extension keeps track of the tab ID so that when the embedded HTML page is loaded, it can still tell the user about the original URL that was blocked. The behavior observed in Safari 18 breaks current expectations of our code and breaks the functionality of our extension.
This behavior is specific to Safari 18. Safari 17 does not behave this way which means that we will need to deploy an update to our Safari extension to mitigate that bug on the upcoming Safari version.
Moreover, this behavior is not observed in other browsers which implement Web Extensions standard (Chrome, Edge, Firefox). All these browsers preserve the tab ID after redirect. That is a problem for us as we run the same code in all 4 browsers that we support. This will cause increase of code complexity to cover Safari as an exception out of common rule.
Environment
Safari version 18.0 (20619.1.26.31.6) and all prior Safari 18 betas.
issue does not happen on Safari 17.
macOS 15 beta 8 (24A5331b) and all prior macOS 15 betas.
issue has been successfully reproduced on macOS 14 with Safari 18 betas which points to the fact that the issue is not exclusive to macOS 15. Safari 18 brings the faulty logic.
The issue has been confirmed and reproduced in a sample Xcode prowejt provided by Apple called "Sea Creator". So the issue is not specific to a single extension.
Feedback case
FB14975378. It contains sample code, the full Xcode project, screenshots and sysdiagnose.
Any advice or assistance is highly appreciated!
We have an iOS Safari extension currently distributed via Testflight.
I’ve noticed that after an indeterminate period of time (sometimes days, sometimes weeks) our safari extension will stop working. It will need to be turned on again from the system general -> safari -> extensions menu.
This is occurring on both iPhones and iPads running 17.6.1.
Is there any condition that will cause the system to disable a safari extension, requiring the user to reopen iOS settings to re-enable?
We have an iOS Safari extension currently distributed via Testflight.
I’ve noticed that after an indeterminate period of time (sometimes days, sometimes weeks) our safari extension will stop working and will need to be turned on again from the system general -> safari -> extensions menu.
This is occurring on both iPhones and iPads running 17.6.1.
Is there any condition that will cause the system to disable a safari extension, requiring the user to reopen iOS settings to re-enable?
Hello there,
We are having a problem when trying to repdorucir videos with videojs in a webview on devices with iOS older than 17.4. When playing them you see that the player restarts several times until crashing the webview. This are the xcode logs when this happens:
Error acquiring assertion: <Error Domain=RBSServiceErrorDomain Code=1 "(originator doesn't have entitlement com.apple.runningboard.assertions.webkit AND originator doesn't have entitlement com.apple.multitasking.systemappassertions)" UserInfo={NSLocalizedFailureReason=(originator doesn't have entitlement com.apple.runningboard.assertions.webkit AND originator doesn't have entitlement com.apple.multitasking.systemappassertions)}>
0x114029980 - ProcessAssertion::acquireSync Failed to acquire RBS assertion 'WebKit Media Playback' for process with PID=64167, error: Error Domain=RBSServiceErrorDomain Code=1 "(originator doesn't have entitlement com.apple.runningboard.assertions.webkit AND originator doesn't have entitlement com.apple.multitasking.systemappassertions)" UserInfo={NSLocalizedFailureReason=(originator doesn't have entitlement com.apple.runningboard.assertions.webkit AND originator doesn't have entitlement com.apple.multitasking.systemappassertions)}
0x1140180c0 - [PID=64164] WebProcessProxy::didClose: (web process 0 crash)
0x1140180c0 - [PID=64164] WebProcessProxy::processDidTerminateOrFailedToLaunch: reason=Crash
After iOS 17.4, Passkey Autofill stopped working inside ASWebAuthenticationSession.
iOS 17.5 re-enabled users to pick passkeys if they tap "🔑" icon on right bottom of keyboard and opened Safari password manager.
However, it still doesn't recommend passkeys on the first view.
Even on the latest iOS 18.0 developer beta, the behaviour is not fixed yet.
I have a hybrid mobile app which loads web server screens in its iframe(which is under the WKWebView); an https request is initiated from the mobile app to the web server which returns the html page to be loaded in the iframe.
The calls which are initiated from outside the iframe have cookies maintained in their requests, while the ones initiated from inside the iframe(web server page) loose the cookies and do not inherit them in IOS beta 18 while It worked fine in the previous IOS versions.
Anybody has infos about this or similar cases?
Hello, a very simple question, is there a test domain that is flagged by safari as a fraudulent webpage? one that is just for testing? Thank you.
Unable to create a cookie using WebKit API or manually create a cookie in Safari with SameSite=None on a device using iPadOS 18 beta. In Safari, the None option is still in the drop down as a selection for SameSite which leads me to believe this is a bug. Is this going to be fixed in the release version of iOS 18?
We have implemented a content blocker using the Safari Web Extension, which can be toggled on or off as needed. However, we've noticed that changes in the Safari browser take effect only after the page is reloaded again. This behaviour has been observed across all simulators as well as on iPhone 8 Plus running iOS 16.7.8.
Is this due to a delay in the JS file rules updation on simulator and lower devices?
Hello everyone,
I am currently developing several Progressive Web Apps (PWAs) and I am wondering if it’s possible to programmatically open an installed PWA on iOS/iPadOS from another app or a link.
My goal is to be able to launch an installed PWA directly from an action in another PWA, a web app, or a native app on iOS. For example, I’d like to know if this can be achieved via a deep link, a custom protocol (web+), or any other mechanism available on these platforms.
Has anyone successfully implemented this feature or found a workaround to programmatically open an installed PWA on iOS/iPadOS?
Thank you very much for your feedback and suggestions!