使用direct distribution进行分发时，safari web extension 在safari setting 中显示没有权限读取、修改或传输任何网页的内容。 但是我在看公证日志显示插件是正常的公证的 这导致safari extension 无法使用。 公证日志 https://www.coupert.com/img/2025-04-10/notarization-log.json

Howdy, WKWebView feature request: allow Fullscreen API without User Gestures similar to ElectronJS' userGesture: true flag that allows devs to bypass user gesture restriction for Fullscreen API and similar executeJavaScript(code[, userGesture]) https://www.electronjs.org/docs/latest/api/web-contents#contentsexecutejavascriptcode-usergesture afaik this is allowed because of a fairly recent update to Chromium that also allows users to give Fullscreen API permissions per domain https://chromeos.dev/en/posts/using-the-fullscreen-api-without-gestures Would be greatly useful for a use case in my cross-platform app, so I can avoid rewriting all platforms to use Chromium Thanks

WebAuthn can be used in Safari, but when using it with WKWebView, you need to set the default browser definition (com.apple.developer.web-browser). Is this correct? Also, is it possible that the terms of use will change or that it will no longer be available in WKWebView in the future?

Description When creating an Apple ID via the web form, if the user’s chosen password contains their own name, the server correctly returns an error (e.g., "Password cannot contain your name") in the PUT request's JSON response. However, this error is not shown on the frontend, leaving users unaware of why the form silently fails or stalls. Steps to Reproduce Go to the Apple ID account creation page (https://appleid.apple.com/account). Enter valid account details where the password includes the user's first or last name (e.g., Johnacb2331!l for a user named John Doe). Complete all fields, including phone number verification and captcha. Submit the form and monitor the Network tab in your browser’s DevTools. Observe that the form appears to hang, loop, or silently fail. Open the PUT request to /account — the response JSON will contain the relevant validation error (e.g., “Password cannot contain your name”), but the user is not shown this. Expected Behavior The password validation error (e.g., containing the user’s name) should be immediately displayed in the UI next to the password field to inform the user and allow for correction. Actual Behavior No error is shown in the UI. The form appears to fail silently, leaving the user confused. The actual reason for failure is only visible through browser developer tools in the PUT response payload. Impact This can lead to: User frustration and confusion Increased support overhead Poor UX in a critical flow (account creation) Environment Browser: chrome 136.0.7103.114 Platform: Web (https://appleid.apple.com) Date observed: 31/5/25 Suggested Fix Ensure that password validation messages from backend responses surface in the frontend, especially for common user input issues like including names in passwords. No screenshots as I can not create a new account

We are encountering a download issue in Safari 18.2 on macOS Sequoia 15.2 where file downloads initiated by our AngularJS application (such as Excel exports) are silently blocked. There are no errors in the browser console, and the download does not occur. Interestingly, after testing on Safari 18.3 with Sequoia 15.3, the downloads worked as expected. However, the problem reappeared on Safari 18.4 with Sequoia 15.4. We suspect that recent changes in Safari’s security or download handling may be preventing downloads triggered via asynchronous JavaScript (e.g., AJAX calls) that are not initiated directly by user interaction. We would appreciate any insights, suggestions, or possible workarounds from the community. Looking forward to your guidance on this matter.

An Administrator account is executing safaridriver --enable but it doesn't apply to other standard user accounts and standard accounts can't enable it directly. Is this expected behavior? How can standard users make use of safaridriver?

I’m a developer working on a Safari Web Extension that’s distributed via the App Store and also tested locally through Xcode. I’m running into an issue that’s affecting my ability to debug errors reported to my Sentry error logging instance from production. The Problem When an error is thrown in one of my extension scripts (e.g., background.js, popup.js, or content.js), the error is sent to Sentry but the captured JavaScript error stack trace replaces the file paths with the webkit-masked-url://hidden placeholder like this: ReferenceError: Cannot access uninitialized variable. at ? (webkit-masked-url://hidden/:14677:28) at ? (webkit-masked-url://hidden/:16307:3) This happens consistently across both App Store builds and local Xcode runs. It prevents me from seeing which script the error came from or resolving the actual source code lines using uploaded source maps in Sentry. My Setup Safari Version: 18.5 (Stable on macOS) Distribution: App Store and local Xcode development Extension Type: Safari Web Extension Error Reporting: Sentry (@sentry/browser SDK) Bundler: Webpack with inline-source-map What I’ve Confirmed I can see the actual source files in Safari’s Web Inspector under the Sources tab when the extension is running. My source maps are uploaded to Sentry correctly and are associated with the matching release. Errors from Safari are being captured by Sentry, but the file URLs are masked, so stack traces cannot be resolved against my original source. My Question Is this behavior (masking file URLs in stack traces with webkit-masked-url://hidden/) intentional for Safari Web Extensions? If so, is there any supported method or workaround to allow exception stack traces to reveal the original script path (e.g., popup.js, background.js) so tools like Sentry or even console logs can point to real locations? I fully understand the privacy/security rationale behind the masking, but as the extension developer, this is making it extremely difficult to debug runtime issues in production. I’d really appreciate any insight into: Whether this masking is expected and permanent behavior If there are any entitlements, debug settings, or Info.plist keys that can alter this behavior for development or for trusted/own extensions If Apple recommends a different way to log extension errors that includes script name or source references Thanks in advance for your help! I’m happy to share more technical details or try out suggestions.

window.location.href = 'tel:0216700310'; I ran the code in an IOS environment. The number was displayed when the call button on the device appeared. However, other IOS devices besides some devices came out as a number starting with +82, and I received feedback that the call was not connected properly. I wonder what could be caused by only some devices. And I would also like to ask what can be done to allow the numbers on the code to be displayed and called as they are.

I am new to PHP. I have developed my own web site with a lot of javascript in simple HTML files. I want to do some extensions with PHP but I can't make a simple web page function. I am sure something simple is wrong. Help! Here is the test web page I made: hello.html <html>  <head>   <title>Hello World</title>  </head>  <body>   <?php echo 'Hello World!'; ?>  </body> </html> Pointing Safari at hello.html gives me a new tab with the correct title, but no "Hello World" in the page itself. Here is the output of php --version: WARNING: PHP is not recommended PHP is included in macOS for compatibility with legacy software. Future versions of macOS will not include PHP. PHP 7.3.24-(to be removed in future macOS) (cli) (built: Jun 17 2021 21:41:13) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.3.24, Copyright (c) 1998-2018 Zend Technologies

Steps to Reproduce: Open the Bing search page in Safari (example URL: https://www.bing.com/search?q=webkit&form=APIPH1&PC=APPL). Pinch-zoom in or out, then return the page to exactly 100% zoom. Rotate the device from portrait to landscape orientation. Observe that the page is incorrectly scaled to a value other than 100%. Rotate the device back to portrait orientation. The page remains at the incorrect zoom level. Expected Result: After returning the page to 100% zoom, changing orientation should keep the zoom level at exactly 100% in both portrait and landscape modes. Actual Result: After returning to 100% zoom, rotating to landscape changes the zoom to a non-100% value, and rotating back to portrait retains the incorrect zoom level.

Actually this is a duplicate for https://developer.apple.com/forums/thread/106537 but in web-specific forums section. Is there any video/audio codec best practices, guides, recommendations for app/web developers for best performance (take advantage from HW acceleration), power consumption saving? What are officially supported media containers? What are video encoding profiles, video dimensions, frame rates? The only official source I have found is https://developer.apple.com/documentation/webkit/delivering-video-content-for-safari?language=objc. But h264 is pretty old. I experimentally found that the VP9 video format is also supported on iOS newer versions. But is this a requirement? Сan i be sure that the video will play on all devices? My goal is to provide web media content (which will be rendered in my application using WKWebView API) that will be supported by most devices (both iOS and MacOS), takes advantage of such features as hardware decode acceleration and be efficient. Any hints/info is highly appreciated. Best regards.

I build websites and my current build has seven videos on the first page built with the html 'video' tag. The page renders on all browsers and Android and on Safari on my mac but on my iPhone safari they appear black and then play correctly when clicked. This has changed since the last update.

After updating to iOS 18.4, our web application (with service workers) crashes on devices that accessed it prior to the update. This issue also affects hybrid mobile apps using the same web application; reinstalling the app resolves it by refetching and reinstalling service workers. Debugging is challenging because clearing the cache or reinstalling the app fixes the problem, and no useful error logs are available. Has anyone encountered similar crashes related to service workers after an iOS update and have any insights into the cause?

So I have web Augmented Reality apps hosted on AWS S3. It worked fine for a month, but as soon as the IOS 18.4 update was installed they stopped working. It works on every other device and IOS versions. The URLs for the mentioned AR experiences: digitechonline.in/solsprefimaginewt8/ digitechonline.in/solsprefimaginewt8p2/ digitechonline.in/orocarear/ These AR experiences get stuck on the loading screen and either reload or give an error. Ideally the camera is supposed to open. I have tested it on Safari, Microsoft Edge and Google Chrome browsers. They were created through Unity webgl and hosted on AWS S3 bucket. Please provide a quick solution to this.

Subject: iOS 26 WKWebView: Remote Pages Become Unresponsive After Loading Local HTML Files Description We're experiencing a critical issue with WKWebView in a React Native 0.64.3 application where remote web pages become completely unresponsive after loading local HTML files in iOS 26. It works well before iOS26. Environment: React Native 0.64.3 iOS 26.0 Xcode 26.0.1 Using custom WKWebView implementations in Native modules Problem Details App loads local HTML files using loadFileURL:allowingReadAccessToURL: Later, when loading remote pages via loadRequest:, the remote pages load successfully but become unresponsive to user interactions This occurs even when using different WKWebView instances The issue is reproducible 100% of the time once a local file has been loaded Restarting the app and loading remote pages directly works fine Code Example: // Loading local file (works fine) [self.webView loadFileURL:localFileURL allowingReadAccessToURL:accessURL]; // Later, loading remote page (loads but becomes unresponsive) NSURLRequest *request = [NSURLRequest requestWithURL:remoteURL]; [self.webView loadRequest:request]; What We've Tried: Using different WKWebView instances for local vs remote content Comprehensive cleanup in dealloc (removing all user scripts and message handlers) Loading blank HTML before switching to remote content Using shared WKProcessPool (understanding its limitations in iOS 15+) Ensuring proper decisionHandler management in navigation delegates Resetting WKWebView configuration settings Clearing cookies and cache between loads Using loadFileRequest:allowingReadAccessToURL: instead of loadFileURL: Key Observations: The remote page renders correctly and network requests complete No JavaScript errors in console The view hierarchy appears normal in Debug View Hierarchy Touch events seem to be delivered but not processed by the web content Questions: Has Apple introduced new security restrictions in iOS 26 that affect the transition from file:// URLs to http:// URLs? Are there specific WKWebView configuration changes required for React Native applications in iOS 26? Could this be related to the React Native bridge or JavaScript context persistence? Any insights or workarounds would be greatly appreciated, as this is blocking our iOS 26 compatibility.

Hey everyone, After installing iOS 26 beta, I started noticing unexpected behavior in our input event handlers. Specifically, when users type into an field, event.target.value is always an empty string — but only when the JS file is loaded from a specific domain (e.g., t1.daumcdn.net). The exact same code works perfectly when hosted on other domains like t2.daumcdn.net or search1.daumcdn.net. 👉 I created a demo here: 🔗 CodePen Demo The scripts loaded from each domain are 100% identical (apart from the top-level selector). Before iOS 26 beta, this worked fine. I suspect this is related to ITP or some new cross-origin behavior in Safari, but I’d love to know if anyone else is running into this — or if someone knows a workaround. Thanks!

My Mac app and its Safari web extension share an app group, and I want to notify the web extension native process when the app makes a change to the app group NSUserDefaults, but I can't find a good way to do this. According to the documentation, "You can use key-value observing to register observers for specific keys of interest in order to be notified of all updates, regardless of whether changes are made within or outside the current process." In my testing, however, this doesn't work in the web extension process. I'm using NSUserDefaults addObserver forKeyPath, but observeValueForKeyPath never gets called. I've also tried NSDistributedNotificationCenter, but the web extension process doesn't receive the notifications sent by the main app. Are either of these supposed to work? If not, are there any alternatives?

I am trying to cache fonts natively in a hybrid app, so that CSS hosted in an https website loaded in WKWebView through loadRequest can reference them like this for a performance boost: @font-face { font-family: 'MyFont'; src: url('my-assets://Gordita-bold-subset.woff') format('woff'); font-weight: normal; font-style: normal; } The problem happens when I register a WKURLSchemeHandler for my-assets. The handler never gets called and the Safari Web Insepctor shows this: [blocked] The page at https://www.x.com/ requested insecure content from my-assets://Gordita-bold-subset.woff. This content was blocked and must be served over HTTPS. Interestingly enough, if we try to serve content with <img src="my-assets://test.png" this restriction does not apply. Are there any workarounds other than using the private API WKProcessPool._registerURLSchemeAsSecure?

Hello, I have an authentication flow where my app communicates with a backend protected by F5 client certificate validation. The client certificate is distributed via MDM and is available in the device keychain, but not accessible directly from the app. When using ASWebAuthenticationSession (or SFSafariViewController) Safari can successfully pick up and present the certificate during authentication, so that part works fine. However, the backend’s authenticate endpoint only supports a POST request with an Authorization header, whereas ASWebAuthenticationSession only accepts a GET URL when starting the session. My questions are: How is this type of flow typically implemented in iOS? Should the backend provide a GET-based endpoint that redirects into the POST, or is there a recommended iOS pattern (e.g., an intermediate HTML page that does the POST after certificate validation)? Are there Apple guidelines on handling certificate-based auth with ASWebAuthenticationSession when the API requires POST, especially for In-House distributed apps? Any guidance or best practices would be very helpful.

Hi Apple Devs & WebKit Team, We operate https://excnum.com — a personal website currently under reconstruction. It's HTTPS-secure, hosted on a clean VPS, and now features a simple placeholder page with no active forms, scripts, or external redirects. However, Safari on both iOS and macOS is flagging it as a “deceptive website”, blocking all access. This warning appears even though: The site uses a valid SSL certificate via Cloudflare There are no redirects, tracking scripts, or dynamic code We serve a static landing page (“under maintenance”) with zero interaction No malware, phishing, or obfuscation exists — verified with multiple tools A review request has already been submitted at: https://websitereview.apple.com We believe the site may have been blacklisted previously under past ownership or prior configurations. It has since been completely restructured and cleared, but the Safari warning persists. This false flag is harming visibility and trust for an otherwise neutral website. Any advice on how to expedite re-evaluation or request a manual delisting from the deceptive site list would be much appreciated. Thank you! — Alex Admin, EXCNUM.COM