We confirmed a problem at Safari on iPadOS 18.2 or after version. For confirmation, we made a HTML document (see below HTML1) what include ‘method="POST" target="_blank"’ and tested the form however server received GET method and there is no parameter, server did not receive “id” parameter. We confirmed that fact in captured packet and log file that on the server. HTML1: We also made another HTML document (see below HTML2) what include submit button, but the server received GET method as above. HTML2: And we also confirmed that it behaves differently depending on the network environment. If the form targets a name that does not exist (ex. target=” A12345”), behaves differently http or https. http: Safari opened new tag, but the server received GET method. Normally, Safari open new tag and the server receive POST method. https: Safari opened new tag, and the server received POST method. It is normally. If the form targets ‘_blank’, the server received GET method on http or https both. We think Safari change the method POST to GET and delete parameters. It is not conformed to the HTML specification if is that true. We confirmed it was not happened at Safari on iPadOS 17.4, and Windows PC (Edge, Chrome). The method what the server received is POST. We find same problem in Apple Support Community (see below URL). https://discussionsjapan.apple.com/thread/255987615 (Described in Japanese) Is it a bug in Safari on iPadOS 18.2 or after version? Do you have plan to fix? Or if fixed the bug, when do you release fixed version.

Steps to Reproduce: Open the Bing search page in Safari (example URL: https://www.bing.com/search?q=webkit&form=APIPH1&PC=APPL). Pinch-zoom in or out, then return the page to exactly 100% zoom. Rotate the device from portrait to landscape orientation. Observe that the page is incorrectly scaled to a value other than 100%. Rotate the device back to portrait orientation. The page remains at the incorrect zoom level. Expected Result: After returning the page to 100% zoom, changing orientation should keep the zoom level at exactly 100% in both portrait and landscape modes. Actual Result: After returning to 100% zoom, rotating to landscape changes the zoom to a non-100% value, and rotating back to portrait retains the incorrect zoom level.

We have a Safari extension that's been up on the App Store for about 18 months with no apparent issues. This week, however, while working on an update, we uninstalled the production version on our test machines and installed a developer version. When we had some issues, we tried to go back to the production version downloaded from the App Store, but we get an pop saying "Unable to download App." In the log, the most obviously relevant error is 'Operation not permitted'. This occurs on several machines and different logins on those machines in both norma and safe modes. However, on another machine that never had one installed, we could still install the app from the app store, so I suspect there is something left behind that needs to be removed, but I don't know what. FWIW, I see the download directory getting created under /Applications, but it is promptly removed when the failure popup appears. Any suggestions?

Hello I am trying to release an app, dealing with storing, delivering, and maintaining outdoor activity euqipememts. On web, I used widget provided by TOSS, which is a Korean banking application. Due to lack of time I have use lazy method User taps the “Pay” button ↓ Backend generates a payment URL (Toss Payments) ↓ Open the payment page in an external browser (Safari) ↓ User completes the payment in Safari ↓ Return to the app via deep link (borini://payment/success) ↓ Call the payment approval API ↓ Display the payment completion page I have hear such method is possible for our type of service which deals with real life goods. So I would love to know if it is actually possible or will I have to make a new payment method using apple provided payment method in order to pass APP Store Connect review before releasing application

I have a Safari extension that plays audio via the javascript AudioContext API. It was working fine under iOS 17 and is now broken under iOS 18. It does not play audio at all. I've tried in both the iOS 18 public beta and the iOS 18.1 developer beta. It is broken in both of them. I've also created Feedback item FB15170620 which has a url attached to a page I created which demonstrates the issue.

We are seeing an issue in Safari on iOS 26 where the a automatic unfocus of on select box dismisses the second one. <select name="choice1" onblur="console.log('onblur1');" onfocus="console.log('onfocus1');"> <option value="first">First Value</option> <option value="second" selected>Second Value</option> <option value="third">Third Value</option> </select> <select name="choice2" onblur="console.log('onblur2');" onfocus="console.log('onfocus2')"> <option value="first">First Value</option> <option value="second" selected>Second Value</option> <option value="third">Third Value</option> </select> select something in choice1. quickly tap choice2 before onblur1 is logged. At the timing of onblur1 the selection menu for choice2 is dismissed. Anyone know how to fix this behavior?

I want to confirm the specifications and behavior of Safari. We have a system built on Microsoft Azure that uses Azure AD B2C for authentication. When we logging in, there is a phone authentication feature where a call is made to the registered phone number. However, this phone authentication does not work properly only on iPhone's Safari. The specific situation is listed below: When performing phone authentication on iPhone's Safari, a call is made from Azure AD B2C, and pressing the # button on the Safari screen can be done. But then, it transitions to an error screen. We tried multiple iPhone devices and multiple iOS versions, but the result was the same. But when accessing the system on a PC, and performing phone authentication, it works without any errors. Also when we use browsers other than Safari (for example, Google Chrome and Firefox) on the iPhone, the phone authentication works without any errors, too. Even with Safari, if the device displaying the login screen and the device making the call are different, phone authentication works without any errors, too.(it fails if they are the same device). We reached out Microsoft about this issue, and they responded that: The Azure resource called FrontDoor at the front end of Azure AD B2C supports the HTTP/2 protocol, and HTTP/2 protocol is used in communication with Safari. In Safari's HTTP/2 communication, when a call is received while the screen is displayed, a reset packet is sent to the web server (in this case, the web server is FrontDoor). This interrupts the session, causing a session termination error on the Azure AD B2C side, and phone authentication fails. Therefore, we would like to ask you the following two points: In HTTP/2 communication, does the Safari browser send a reset packet to the web server when it receives a phone call? If so, what is the cause of this behavior? And are there any measures to prevent the reset packet from being sent?

Command: com.apple.WebKit.Networking Path: /private/preboot/Cryptexes/OS/System/Library/ExtensionKit/Extensions/NetworkingExtension.appex/com.apple.WebKit.Networking Identifier: com.apple.WebKit.Networking Version: ??? (8621.3.11.10.3) Resource Coalition: "com.apple.mobilesafari"(1005) Architecture: arm64e Parent: launchd [1] PID: 1708

iOS 18.4 introduces the new WKWebExtension API to support extensions in WKWebView. However, for extensions that have migrated to Manifest V3 and use an extension service worker as the background script, it's currently not possible to inspect them through Safari. This is only thing I can see, I don't know how to inspect the details of the "background.js" I'm wondering—has this changed? Is it now possible to inspect extension service workers?

I have a local HTML file used to display mixed content with images and text. Here's the issue: the same file displays everything correctly in Google Chrome, showing both images and text as expected. However, when opened in Safari, only the text is shown—images are missing, which is very strange. Interestingly, if I remove .png from the title attribute of the tag, the images show up properly in Safari. Alternatively, if I comment out the inclusion of html2canvas.min.js, the images also display correctly (although the layout breaks without it). I'm not sure if this is a Safari-specific issue. Can anyone explain what might be causing this problem?

We have written a PAC script that blocklists certain domains and whitelists others. We went to Settings > Network > Wi-Fi (the network we are using), then clicked on Details, and under Proxies, we added the PAC file URL in the Automatic Proxy Configuration section. We tried hosting the PAC file both on localhost and on a separate HTTP server. After saving the settings, we tested several URLs. The blocking and allowing behavior works correctly in all browsers except Safari. Below is the PAC script we are using for your reference. The script works as expected in browsers other than Safari. This is how the PAC script URL looks: http://localhost:31290/proxy.pac function FindProxyForURL(url, host) { var blacklist = new Set(["facebook.com", "deepseek.com"]); var b_list = [...blacklist]; for (let i = 0; i < b_list.length; i++) { let ele = b_list[i] + "*"; if (shExpMatch(host, ele) || shExpMatch(url, ele)) { return "PROXY localhost:8086"; } } if (isIPBlocked(whitelist_subnet, hostIP)) { return "PROXY localhost:8087"; } if (isIPBlocked(blacklist_subnet, hostIP)) { return "PROXY localhost:8086"; } return "PROXY localhost:8080"; }

After reading several posts I see that I need to add the "com.apple.developer.web-browser.public-key-credential" capability to my macOS app in order to get it to work. So my noob question is where do I request this capability? Can I as a developer request it or does the Account owner need to request it? Once approved, how do I add it to my app's capabilities? Thanks for your patience

At present, it is not possible to use deep linking without suffering the Smart banner being injected by Safari on each affected web page. This makes the experience of users choosing to browse an associated website significantly poorer as they have to see a Smart banner at the top of each page. People know there is an app store and an app – they don't need constantly reminding like it is still 2010. Anyone know where a relevant plea can be made to Apple to provide an alternative mechanism here as it damages the ethos of being able to simply use a web browser

Hi everyone, I want users not to see the system context menu when long-pressing text on a page in Safari on iOS. I found on MDN that the CSS property -webkit-touch-callout: none; can achieve this. But in reality, it doesn't really work. MDN documents URL: https://developer.mozilla.org/en-US/docs/Web/CSS/Reference/Properties/-webkit-touch-callout Here’s a minimal example: function preventIOSSafariContextMenu() { if (document.getElementById(STYLE_ELEMENT_ID)) return; if (!IS_TOUCH_DEVICE) return; const style = document.createElement("style"); style.id = STYLE_ELEMENT_ID; style.textContent = ` html, body { -webkit-touch-callout: none !important; } `; (document.head || document.documentElement).appendChild(style); } The context menu persists. Has anyone else encountered this? Is this an intentional change in WebKit, or could it be a regression? If it’s intentional, is there a recommended alternative? Thanks in advance for any insights!

I'm developing an application that makes use of a WebView. When resuming the app I occasionally run into an issue where the application just shows as a blank page. In the Console.app I see a stack trace, however the details are hidden (see below). The stack trace is thrown from JavaScriptCore. default 13:37:07.029261+0200 outlinerrs_dioxus 1 0x1b80cd678 <private> default 13:37:07.029360+0200 outlinerrs_dioxus 2 0x1b7d50e30 <private> default 13:37:07.029369+0200 outlinerrs_dioxus 3 0x1047ec800 <private> default 13:37:07.029539+0200 outlinerrs_dioxus 4 0x1b7d37924 <private> default 13:37:07.029548+0200 outlinerrs_dioxus 5 0x1b8102a78 <private> default 13:37:07.029789+0200 outlinerrs_dioxus 6 0x1b8100cb8 <private> default 13:37:07.029834+0200 outlinerrs_dioxus 7 0x1b7ba7b0c <private> default 13:37:07.029851+0200 outlinerrs_dioxus 8 0x1b879a520 <private> default 13:37:07.029870+0200 outlinerrs_dioxus 9 0x1b817f204 <private> default 13:37:07.030159+0200 outlinerrs_dioxus 10 0x1b76bfce8 <private> default 13:37:07.030186+0200 outlinerrs_dioxus 11 0x1b76ad838 <private> default 13:37:07.030245+0200 outlinerrs_dioxus 12 0x1b76bd76c <private> default 13:37:07.030324+0200 outlinerrs_dioxus 13 0x1b22c827c <private> default 13:37:07.030424+0200 outlinerrs_dioxus 14 0x1b22c8034 <private> default 13:37:07.030461+0200 outlinerrs_dioxus 15 0x19d6df230 <private> default 13:37:07.030514+0200 outlinerrs_dioxus 16 0x19d6df1a4 <private> default 13:37:07.030584+0200 outlinerrs_dioxus 17 0x19d6bcc6c <private> default 13:37:07.030592+0200 outlinerrs_dioxus 18 0x19d6928b0 <private> default 13:37:07.030601+0200 outlinerrs_dioxus 19 0x19d691c44 <private> default 13:37:07.030607+0200 outlinerrs_dioxus 20 0x23ca6e498 GSEventRunModal default 13:37:07.030675+0200 outlinerrs_dioxus 21 0x1a300cddc <private> default 13:37:07.031049+0200 outlinerrs_dioxus 22 0x1a2fb1b0c UIApplicationMain default 13:37:07.031064+0200 outlinerrs_dioxus 23 0x104a76278 <private> default 13:37:07.031070+0200 outlinerrs_dioxus 24 0x1047a0064 <private> default 13:37:07.031254+0200 outlinerrs_dioxus 25 0x104781efc <private> default 13:37:07.031343+0200 outlinerrs_dioxus 26 0x1047493e0 <private> default 13:37:07.031352+0200 outlinerrs_dioxus 27 0x10477e1c8 <private> default 13:37:07.031358+0200 outlinerrs_dioxus 28 0x1047a0184 <private> default 13:37:07.031373+0200 outlinerrs_dioxus 29 0x1047a033c <private> default 13:37:07.031409+0200 outlinerrs_dioxus 30 0x104733724 <private> default 13:37:07.031451+0200 outlinerrs_dioxus 31 0x104464e98 <private> I tried to create com.apple.WebKit.plist in /Library/Preferences/Logging/Subsystems with the following contents: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>DEFAULT-OPTIONS</key> <dict> <key>Enable-Private-Data</key> <true/> </dict> </dict> </plist> Does anyone know how to reveal the hidden logs?

Hi Developers, I am working on a small project and I noticed that my website header looks different in Safari on macOS compared to Windows browsers like Chrome and Edge. In Safari, the header text and spacing look slightly shifted (screenshot attached). On Windows browsers, everything looks perfectly aligned. Here is my live project for reference: https://gratuitycalculatorae.com/ Screenshot from Safari (macOS): Is this related to Safari-specific CSS rendering? Should I use -webkit- specific fixes or is there a better cross-browser solution? Any guidance or best practices would be really helpful. Thanks

Hey, very strange problem I have on iOS when shared web as an app (pwa) to home screen. Whenever I use it via safari browser on iPhone, it works 100% fine every time. However, when I put it as an app on home screen, first time I open it it works fine, when i close it and reopen again, it just doesnt start recording. I have to restart my phone for it to work. So it works one time, I guess somehow it doesnt end stream or something, but in code I've tried all the possible ways to close and clean the track. tried GPT, Claude, Gemini solutions. nothing worked, it just works 1 time as PWA. my last hope is someone else encountered this issue and may try to help me ? https://pastebin.com/85i2L2vH

Hi! I'm working on a web extension for Safari and I need to send messages from the containing application to JavaScript. For this I use the method class func dispatchMessage( withName messageName: String, toExtensionWithIdentifier identifier: String, userInfo: [String : Any]? = nil ) async throws of the SFSafariApplication class. If the site is opened in Safari in normal mode, everything works as expected. However, if the site is "docked", the messages are not transmitted to this "Web App".

A DNR rule with lower priority is being applied before a DNR rule of higher priority on Safari. Specifically, a low-priority DNR block rule that matches a request is being applied before a high-priority DNR redirect rule that matches the same request, preventing the redirect from occurring. The only way to get the high-priority redirect rule to occur is to remove the DNR block rule. This does not occur on other browsers. I have already submitted a Feedback Assistant report about this bug: FB16535579 How to reproduce: Create/install a web extension on Safari with the declarativeNetRequest and declarativeNetRequestWithHostAccess permissions Open the Web Extension Background Content console and add a redirect rule with a high priority number. For example: await chrome.declarativeNetRequest.updateDynamicRules({addRules: [ {id: 5000, condition: {urlFilter: "||www.google-analytics.com*/ga.js", resourceTypes: ["script"], domainType: "thirdParty"}, priority: 80, action: {type: "redirect", redirect: {url: “http://www.apple.com/”}}} ]}) Add a block rule of lower priority for the same urlFilter: await chrome.declarativeNetRequest.updateDynamicRules({addRules: [ {id: 5001, condition: {urlFilter: "||www.google-analytics.com^", domainType: "thirdParty"}, priority: 1, action: {type: "block"}} ]}) Visit https://efforg.github.io/privacybadger-test-fixtures/html/ga_surrogate.html Check the network tab and see that neither a request to Google Analytics nor apple.com appear. This means that the request to Google Analytics was blocked instead of being / before being redirected Remove the block rule: await chrome.declarativeNetRequest.updateDynamicRules({removeRuleIds: [5001]}) Reload https://efforg.github.io/privacybadger-test-fixtures/html/ga_surrogate.html. Check the network tab and confirm that there is a request to apple.com, showing that the redirect rule is only applied if the lower-priority block rule is removed. The priority of the DNR rules should handle this without having to remove a DNR rule. I have confirmed that the incorrect application of DNR rule priority happens on other top level domains, with other urlFilters, and with other redirect URLs. I confirmed that this is happening while I’ve granted my extension permissions on all websites.

I'm running apache with following configuration. /cc require TLS client certificate / not require TLS client certificate Starting with ios 18.4, accessing /cc after / fails with following error: AH02261: Re-negotiation handshake failed, referer: https://www.example.com/... SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification? It seems like ios 18.4 does not support TLS re-negotiation. (It worked with ios 18.3 and before) Is this an expected behavior or a bug?