I'm working on a Safari web extension that uses the nativeMessaging facility to communication with native code.
When I want to notify the javascript extension from the embedding application, I use SFSafariApplication::dispatchMessage. As per the documentation, this call
... ensures that Safari is launched and that your extension is running before delivering the message.
Everything works fine when the background script is running.
However, after the background script gets unloaded at some point in time (non persistent background page, default behavior for a manifest V3 extension), the background script is not reloaded by the message from the native app (background script still appears unloaded in the developer menu of Safari, double-checked using a counter stored in browser.storage.local incremented on message reception). In this case, the completion handler of the application gets no error (error == nil) as if the message was correctly delivered.
I was able to reproduce this behavior with the sample app delivered for WWDC20 (after upgrading the manifest from v2 to v3 to make it non-persistent).
Is it supposed to work ? What I'm doing wrong ?
General
RSS for tagExplore the integration of web technologies within your app. Discuss building web-based apps, leveraging Safari functionalities, and integrating with web services.
Selecting any option will automatically load the page
Post
Replies
Boosts
Views
Activity
0x158c2ce18 - [pageProxyID=33, webPageID=34, PID=883] WebPageProxy::didFailProvisionalLoadForFrame: frameID=4294967298, isMainFrame=1, domain=NSURLErrorDomain, code=-999, isMainFrame=1, willInternallyHandleFailure=0
Error Domain=NSURLErrorDomain Code=-999 "已取消" UserInfo={_NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <9A09D8F8-351D-4BE3-A1F7-0E2E325DC7BA>.<4>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <9A09D8F8-351D-4BE3-A1F7-0E2E325DC7BA>.<4>"
), NSLocalizedDescription=已取消, _WKRecoveryAttempterErrorKey=<WKReloadFrameErrorRecoveryAttempter: 0x159acf6c0>, networkTaskDescription=LocalDataTask <9A09D8F8-351D-4BE3-A1F7-0E2E325DC7BA>.<4>, NSErrorFailingURLStringKey=https://oamobile.zmmc.com.cn:28385/pages/Reports/ZBReport.aspx?ShowInLegend=true&appid=69b487001fcc11bc30c7344e50768c3c&userid=9784299b-cced-4702-91b0-0476511ba8d2, NSErrorFailingURLKey=https://oamobile.zmmc.com.cn:28385/pages/Reports/ZBReport.aspx?ShowInLegend=true&appid=69b487001fcc11bc30c7344e50768c3c&userid=9784299b-cced-4702-91b0-0476511ba8d2, networkTaskMetricsPrivacyStance=Unknown}
Failed to terminate process: Error Domain=com.apple.extensionKit.errorDomain Code=18 "(null)" UserInfo={NSUnderlyingError=0x159bd1830 {Error Domain=RBSRequestErrorDomain Code=3 "No such process found" UserInfo={NSLocalizedFailureReason=No such process found}}}
After upgrade to ios 26,
if WKWebView load url which did not contain "#" will always ok.
but load url contain “#” will cancel when start load, then result in white screen
We have a Smart App Banner (including App Clip) on our website and have noticed today that the banner's background color has changed. It no longer has the default white background and blue button color, instead it has a background color that matches our page's background, and even the color of the button has changed.
What's interesting is that we have not triggered this change at all. The colors seemingly changed by themselves.
Looking at the Apple Documentation, no customization options are mentioned. Searching the web, the theme-color meta tag is mentioned in relation to this, however we haven't even included that tag on our page.
What is triggering this color change then and how can we influence it?
Topic:
Safari & Web
SubTopic:
General
We’re currently working on an OTT-based application where we integrate Google Ad Manager to serve video ads. As part of the ad experience, users often see a “Learn More” CTA (Call to Action) on these ads.
As per our current requirement, when a user taps “Learn More” on an ad:
• The link should open in Safari (i.e., an external browser) on iOS devices
• The Safari browser should ideally open in portrait orientation, as the ad content and layout are optimised for portrait mode
However, based on our understanding and technical constraints on iOS, it appears that:
• Orientation control is restricted to the app’s own context.
• Once Safari is launched via UIApplication.shared.open, we no longer have control over how it behaves in terms of orientation.
• iOS system behaviour determines Safari’s orientation based on the device’s physical orientation and Safari’s own internal configuration.
Could you please confirm if there’s any supported way (via SDK, deep link config, or otherwise) to enforce portrait orientation in Safari when opening such external URLs from within an iOS app?
If this is not technically feasible, we would appreciate any best practices or alternatives you can suggest for ensuring a consistent user experience.
Topic:
Safari & Web
SubTopic:
General
I'm not loving the huge Favorites icons in Safari on MacOS 26, is there a way to reduce the size of them so that we can see more favorites on the list without scrolling down?
I am trying to cache fonts natively in a hybrid app, so that CSS hosted in an https website loaded in WKWebView through loadRequest can reference them like this for a performance boost:
@font-face {
font-family: 'MyFont';
src: url('my-assets://Gordita-bold-subset.woff') format('woff');
font-weight: normal;
font-style: normal; }
The problem happens when I register a WKURLSchemeHandler for my-assets.
The handler never gets called and the Safari Web Insepctor shows this:
[blocked] The page at https://www.x.com/ requested insecure content from my-assets://Gordita-bold-subset.woff. This content was blocked and must be served over HTTPS.
Interestingly enough, if we try to serve content with <img src="my-assets://test.png" this restriction does not apply.
Are there any workarounds other than using the private API WKProcessPool._registerURLSchemeAsSecure?
Topic:
Safari & Web
SubTopic:
General
Apple must comply with the requirements of the Level Index, the global digital credit gateway, and suspend gift cards and similar services until formal arrangements are made with service providers.
Hello,
We are developing a Safari Web Extension that uses a cookie-based authentication mechanism. The extension makes a request to an endpoint e.g. /login, and this endpoint expects a cookie (e.g., sessionId) to be included with the request. Everything works correctly when running in the default Safari profile.
However, when I install and run the same extension in a new, non-default profile, the behaviour changes:
The request to /login is still made
The cookie sent is not as expected
As a result, the response returns null user data
I confirmed that logging into the site in the new profile (in a tab) works, but the extension does not appear to share the session/cookie state with the login tab
We’ve tried explicitly setting "credentials": "include" in the request but that still didn’t share the cookie in the extension context in the non-default profile.
My questions:
Is there away to allow cookie-based session sharing between a tab and an extension in non-default profiles in safari?
Would switching to a token-based auth mechanism (e.g., Bearer tokens ) be the recommended workaround?
I’d appreciate any insights or guidance from those who’ve run into similar issues.
Thanks in advance!
Topic:
Safari & Web
SubTopic:
General
I use WKWebView to display a webpage that requires authentication through an authentication provider. This works as expected, but when I close and reopen the app, I have to reauthenticate. However, if I open the same page in Safari, I only have to authenticate once. If I close Safari and reopen it, the page displays without prompting me to authenticate again. I see some cookies stored in httpCookieStore, so I assume that storing cookies works. Does anyone have an idea why authentication is not persistent between app launches? Thanks in advance.
Best regards,
Marc
There is webview use in native MacOS app, there white lines on edges of webview you can observe, they are flickering if do resize the app window.
i would like to get rid of them. i need help, thanks.
Topic:
Safari & Web
SubTopic:
General
iOS18的app中加载了自己开发的H5页面,H5页面有个input输入框,每次输入框聚焦的时候,都会弹出键盘滑行键入的提示:“滑动手指将字母拼成词以快速键入”,应该怎么修改,达到不每次都弹出这个提示呢
Hello all,
I'm trying to retrieve geolocation data on the web, but I'm having trouble with the altitude value, which seems to differ from what I get on Android.
When using navigator.geolocation.getCurrentPosition in Safari, is the altitude value based on mean sea level, or is it ellipsoidal altitude based on the WGS84 ellipsoid?
altitude (WebKit JS): https://developer.apple.com/documentation/webkitjs/coordinates/1631861-altitude
altitude (Core Location): https://developer.apple.com/documentation/corelocation/cllocation/altitude
ellipsoidalAltitude (Core Location): https://developer.apple.com/documentation/corelocation/cllocation/ellipsoidalaltitude
If anyone has any insight into this topic I would greatly appreciate it!
Hi guys, I'm trying to use sign in with apple in javascript, I followed the guider in the website, and almost find everything I can find in Google, but nothing help, here is my situation:
I create a new App: com.yuhan.test.app
I create a new service ID: com.yuhan.test.service
configure a domain and return url
domain: tts.perterpon.com
returnURL: https://tts.perterpon.com/login
create a new key for Sign In with Apple.
my html code is here, it's easy, but it always told me invalid_client, I think I have done anything I need to do, can somebody help me? Thank you so much.
you can test my online web site: https://tts.perterpon.com/login.html
`
const buttonElementNew = document.getElementById('appleid-signin');
buttonElementNew.addEventListener('click', async () => {
try {
const data = await AppleID.auth.signIn()
console.log('Try/Catch Data', data.authorization.id_token);
const formData = new FormData();
formData.append("token", data.authorization.id_token);
await fetch("", {
method: "POST",
body: formData,
});
// Handle successful response.
} catch (error) {
// Handle error.
}
});
</script>
I’m a developer working on a Safari Web Extension that’s distributed via the App Store and also tested locally through Xcode. I’m running into an issue that’s affecting my ability to debug errors reported to my Sentry error logging instance from production.
The Problem
When an error is thrown in one of my extension scripts (e.g., background.js, popup.js, or content.js), the error is sent to Sentry but the captured JavaScript error stack trace replaces the file paths with the webkit-masked-url://hidden placeholder like this:
ReferenceError: Cannot access uninitialized variable.
at ? (webkit-masked-url://hidden/:14677:28)
at ? (webkit-masked-url://hidden/:16307:3)
This happens consistently across both App Store builds and local Xcode runs. It prevents me from seeing which script the error came from or resolving the actual source code lines using uploaded source maps in Sentry.
My Setup
Safari Version: 18.5 (Stable on macOS)
Distribution: App Store and local Xcode development
Extension Type: Safari Web Extension
Error Reporting: Sentry (@sentry/browser SDK)
Bundler: Webpack with inline-source-map
What I’ve Confirmed
I can see the actual source files in Safari’s Web Inspector under the Sources tab when the extension is running.
My source maps are uploaded to Sentry correctly and are associated with the matching release.
Errors from Safari are being captured by Sentry, but the file URLs are masked, so stack traces cannot be resolved against my original source.
My Question
Is this behavior (masking file URLs in stack traces with webkit-masked-url://hidden/) intentional for Safari Web Extensions?
If so, is there any supported method or workaround to allow exception stack traces to reveal the original script path (e.g., popup.js, background.js) so tools like Sentry or even console logs can point to real locations? I fully understand the privacy/security rationale behind the masking, but as the extension developer, this is making it extremely difficult to debug runtime issues in production.
I’d really appreciate any insight into:
Whether this masking is expected and permanent behavior
If there are any entitlements, debug settings, or Info.plist keys that can alter this behavior for development or for trusted/own extensions
If Apple recommends a different way to log extension errors that includes script name or source references
Thanks in advance for your help! I’m happy to share more technical details or try out suggestions.
The new WebView implementation in *OS 26 versions is a very valuable addition to the SwiftUI toolset. I was experimenting with it and was wondering how to implement a Pull To Refresh. While this was easily achievable with the "old" WKWebView I was not able to find an API to implement, for example, a page reload when the user uses a pull to refresh gesture.
I tried to attach to a .refreshable(_:) modifier to the WebView but without success.
Is there an official API for that or should maybe .refreshable(_:) already work and it's just a bug or is it simply not yet supported?
Here is a minimal example I was trying but didn't succeed:
struct ContentView: View {
@State private var page = WebPage()
var body: some View {
NavigationStack {
WebView(page)
.refreshable {
page.reload()
}
}
}
}
Any help is much appreciated. Thank you!
Based on the "Build immersive web experiences with WebXR"-Video for visionOS there is no way to disable the consent prompts for entering an immersive experience or consent hand-tracking. For the microphone it's possible to "greenlight" specific websites for mic input, which works great.
I'd welcome it, if it were possible to add specific websites in the settings, in which those consent dialogs aren't shown each time.
In my opinion, the user interaction through a button that launches the experience would be sufficient to not disorient.
I am trying to setup web sign in with apple, I have an active apple subscription and have set up all necessary things. I made a service id in apple Identifiers, connected to existing primary id (also has apple sign in enabled). I have my domain set up also correctly but still I cant generate the code due to invalid client. What do I need to do?
I have also tried recreating the service ids multiple times with no luck.
my init is
AppleID.auth.init({
clientId : '[CLIENT_ID]',//used the service id one not app id
redirectURI : '[REDIRECT_URI]',
usePopup : true
});
link to generate codes now is: https://appleid.apple.com/auth/authorize?client_id=com.crmtournest.sigin&redirect_uri=https%3A%2F%2Fwww.tournestcrm.com%2Fauth%2Fcallback&response_type=code%20id_token&state=saciy7rn1km&scope=name%20email&response_mode=web_message&frame_id=03487c22-abb4-48cd-8613-d6bf5836e9eb&m=11&v=1.5.5
Also tried: https://appleid.apple.com/auth/authorize?client_id=com.crmtournest.sigin&redirect_uri=https%3A%2F%2Fwww.tournestcrm.com%2Fauth%2Fcallback&response_type=code%20id_token (not working)
I get invalid_client
setup on apple below:
with iOs26 it works so so great, that every time i look something up ChatGPT is the first thing to Seach the web for everything about it then, i can read it an it gives a link for me to go to if i wont to further look inti it ,this on I Phone SE 3 Generation ,it has better Siiri to better on the I Phone SE 3rd Generation.
Hello there,
back in the old WebKit API there was the WKDownloadDelegate to handle download actions in WebViews. I was wondering how to handle download actions within the new WebKit in SwiftUI. Is there anything to use already or are there workarounds to handle downloads?
Greetings,
Thorben
Hello!
I have a few questions about integrating an OAuth2 API into my Swift application. I am using this API to access user data from the website (users will authenticate themselves within the app). I have seen other apps use this API in the way that I am describing it so I know that it is possible. However, I am not sure how to implement it.
Are there any recommended ways to use an OAuth2 API in my application?
The API that I am using does not specifically say that it supports PKCE. However, I have heard from some sources that it does. If it does not support PKCE, how do I still create a secure app infrastructure that will pass App Store Review?
At a more basic level, what is the difference between OAuth2 and PKCE? What should I use in my app? Are there any resources to learn a little bit more about these protocols so that I understand them better?
Thanks!