I am developing an SSO Extension so that I can have SSO with Keycloak across applications. OIDC/OAuth2 works very well. But I am struggling with SAML. It works, but it seems that the form submission is always triggered twice. I use decisionHandler(.cancel) to stop the form submission and redirect it to the browser. I still get the form submitted both by the extension and by the browser. At some point I tried to allow the form submission in the Extension so that I get the redirect with the response to the browser. It still triggered another submission. Does anyone experience this issue?

Is there any supported mechanism in Safari Web Extensions (MV3) for capturing or logging network request data (like fetch, XHR, or webRequest) triggered by the web page?

我使用Apple Pay on the Web Interactive Demo构建了一个web应用使用的是Payment Request API方式，但是遇到了几个问题： 拉起的web Apple Pay 底部一直转圈圈无法付款，这个是什么问题？ 如何设置sandbox测试付款呢？ 如何异步、同步获取支付结果（后端代码获取支付结果）？demo只有await response.complete("success");前端代码获取支付结果的操作 demo网址: https://shop.wowseer.com/rsolomakhin/pr/applepay/

There is no problem with the content display of each tab, but the tab bar is completely buggy. If you open 5 or more tabs and browse tabs after the 5, the first 4 tab bars will be completely blacked out, and you don't even know how many tabs you have. If you click on the place where the tab title probably exists, the tab is displayed as if the partial display of the tab bar has been restored. There is no problem with content display. But because it is unclear what tab is open, the browsing experience is at its lowest. If you switch to the tab after the 5th, the first 4 will return to the blackout state again. Of course, it is the latest software configuration at the moment. There is no shortage of memory at 24GB. I recently started developing a Safari extension with AppExtension, but is that due to it?

Could somebody provide hello world example of Safari Extension which is able to call on-device Foundation Model (Apple Intelligence)? I cannot find any examples yet

After updating to iOS 18.4, our web application (with service workers) crashes on devices that accessed it prior to the update. This issue also affects hybrid mobile apps using the same web application; reinstalling the app resolves it by refetching and reinstalling service workers. Debugging is challenging because clearing the cache or reinstalling the app fixes the problem, and no useful error logs are available. Has anyone encountered similar crashes related to service workers after an iOS update and have any insights into the cause?

Video in Landscape takes 2 taps on X to close.This issue can be replicated on iphone 14 ios 18.5.There is no issue on iPhone 15 ios 18.5.

There is webview use in native MacOS app, there white lines on edges of webview you can observe, they are flickering if do resize the app window. i would like to get rid of them. i need help, thanks.

window.location.href = "tel:02-xxxx-xxxx" Can the development team modify the screen text? Or can the country code be erased? What are the reasons for continuing to be "on the phone" if the country code is automatically attached to the phone like this?

Hello, I’m working on a cross-origin WebAuthn implementation where a parent page embeds an iframe from a different origin to perform authentication. According to the WebAuthn Level 3 spec (Section 7.1.1), when crossOrigin is true, the clientDataJSON may include topOrigin—but Safari does not seem to populate this field. Observed Behavior: Chrome/Firefox: Include topOrigin in clientDataJSON when crossOrigin: true. Safari (macOS/iOS): Omits topOrigin even though crossOrigin is correctly set to true. Example clientDataJSON from Safari: { "type": "webauthn.get", "challenge": "...", "origin": "https://iframe-origin.example.com", "crossOrigin": true // Missing `topOrigin` (expected: parent origin) } Questions: Is this an intentional omission in Safari for privacy/security reasons? Are there specific requirements (e.g., HTTP headers, permissions policies) needed for Safari to expose topOrigin? Is there a known workaround to reliably obtain the top-level origin in cross-origin WebAuthn flows? System Info: Version 18.4 (20621.1.15.11.10) OS: Sequoia Version 18.4 (20621.1.15.11.10) Reproduction Steps: Parent page (https://parent.example.com) embeds an iframe (https://webauthn-rp.example.com). The iframe calls navigator.credentials.get() with a WebAuthn challenge. Safari returns clientDataJSON with crossOrigin: true but no topOrigin. Code Snippet (iframe): const credential = await navigator.credentials.get({ publicKey: { challenge: new Uint8Array(/* ... */), rpId: 'webauthn-rp.example.com', allowCredentials: [], hints: [], userVerification: "preferred", } }); console.log(JSON.parse(atob(credential.response.clientDataJSON))); Has anyone encountered this? Any insights would be greatly appreciated!

I'm trying to download mods for Stardew Valley, before the beta it worked but now it doesn't. Is there anyone who can help to fix this? Used Firefox and Safari as well as Safari on my ipad.

When our Safari Web Extension makes a api request from its background script (registered via "scripts" in manifest.json, e.g., "background": { "scripts": ["js/background.bundle.js"] }) to our authenticated API endpoint (https://api-domain/user), the Cookie header is not included in the request. This occurs only when the extension is running within a non-default Safari User Profile. This causes our API to treat the user as unauthenticated. The exact same extension code, manifest, and API call work correctly (Cookie header is present and user is authenticated) when the extension is running in the Default Safari User Profile.

Hello, most of the time I can scan my QR code which is associated with my website and my app clip launches. But some few times I've noticed the URL just opens to that URL in safari. I have had this app clip live for months now so should not be the normal 3 day or so wait. The app clip status is validated for debug and cache in build metadata. When I run diagnostics on my iPhone it says the URL is too long but the data reads every time the app clip is launched so I think that should be okay. My suspicion is that the URL I use hits my server and redirects to the actually app clip url. So I'm this might be causing the hiccup. But why so infrequently then? Only when the app clip fails to launch and I open the URL in safari do I see analytics from my server saying the QR URL was hit and had a status code 302 which redirects to a 404. (since that would be the app clip URL) So wondering if there is a way I can reproduce this issue and then resolve it :D

SwiftUI List Accessibility VoiceOver

An Administrator account is executing safaridriver --enable but it doesn't apply to other standard user accounts and standard accounts can't enable it directly. Is this expected behavior? How can standard users make use of safaridriver?

Dears, We are facing some issue in ios 18.4.1. Recently some of our end users who updated their ios devices to 18.4.1 have experienced random 403 errors in runtime. as per our analysis, We identified that these errors are associated with "CSRF token mismatch". After successful login, the user's CSRF token is causing issue and it was changed in runtime, this causes the cookie mismatch, and the users is getting 403 errors, and the user session is getting invalid suddenly. let me know if anyone facing the same issue in ios 18.4.1 and let me know Is there any workaround for this issue. Thanks.

Hello all, As you may know, the company ProofPoint is an Apple partner, and is engaged (I think) to reduce misuse of icloud emails. We have two servers solely set up for our web-app, which is a specialised forum for apartment owners. The new servers were established about the same time, with the same provider, with clean new IP addresses - and as mentioned above, are only used for this web-app. During a testing phase a YEAR ago, we became aware that our in-house icloud emails weren't receiving notifications via the app, and further investigations revealed that the cause was that ProofPoint had placed a block on that server's IP. We immediately, via their website form initiated a Support Ticket, which, the site indicated was lodged, BUT we have never received any response to that Ticket, nor have we received any response to four subsequent Tickets we initiated - nothing. In over a year!! Yesterday, we contacted Apple support, but the devices area of support is the main section and they said it wasn't an issue they could assist with. Some relevant matters: SPF: DKIM: DMARC: are, I believe all configured correctly (and Gmail gives a PASS to all of them). The IP is not blacklisted by any list we are aware of. Our other server's IP isn't blocked by ProofPoint. So, literally at wits end, I'm reaching out to the developer subscribers here to see if they have any suggestions for us. We currently are unable to accept any new subscriber that is using an icloud email address, and that's an absurd situation to be in. Surely we don't have to go to the trouble and inconvenience of obtaining a new IP because of this!!! But when we can't get ANY response to the Support Tickets, it's really hard. Thanks

Hi Apple Devs & WebKit Team, We operate https://excnum.com — a personal website currently under reconstruction. It's HTTPS-secure, hosted on a clean VPS, and now features a simple placeholder page with no active forms, scripts, or external redirects. However, Safari on both iOS and macOS is flagging it as a “deceptive website”, blocking all access. This warning appears even though: The site uses a valid SSL certificate via Cloudflare There are no redirects, tracking scripts, or dynamic code We serve a static landing page (“under maintenance”) with zero interaction No malware, phishing, or obfuscation exists — verified with multiple tools A review request has already been submitted at: https://websitereview.apple.com We believe the site may have been blacklisted previously under past ownership or prior configurations. It has since been completely restructured and cleared, but the Safari warning persists. This false flag is harming visibility and trust for an otherwise neutral website. Any advice on how to expedite re-evaluation or request a manual delisting from the deceptive site list would be much appreciated. Thank you! — Alex Admin, EXCNUM.COM

It‘s called Track Configuration API found in the iOS 26.0 Public Beta 5. No explanation anywhere on the web Or release notes, it’s not mentioned anywhere. I‘m very interested in new tracking innovations. And another small thing I‘ve never found out, what is „fingerprint related quirk“ is that an insider joke Or something? I don‘t know it‘s actions. Thank you for answering

Hi, when I display an HTML page with a on Safari iOS, I get a nice UI. Great! At the first look I see a video frame with an arrow-in-a-circle button in the middle. Very nice. I click on the arrow and I get a fullscreen view while the video begins to play. I watch the video then I pause it then I click on the top-left x button. So I go back to my html page and the video is perfectly there as it was before. But, there is an annoying new detail. The video frame is really dark, it still presents all the controls and a "different" arrow button to play it again. In other words that nice video-frame, that nice picture, is not longer visible on the page. That nice page with nice pictures has now an almost-black rectangle. Too bad. Sure I can click on the video (outside the controls) then the controls and the black overlaying frame disappear. I can see that nice picture again. Finally. Well, but the arrow-in-a-circle button to play the video disappeared. Now the user cannot longer understand that's a video to play. It looks just like any other pictures to admire statically. Is any way to get the previous first look of the video? The one clear, with the current frame and the arrow-in-a-circle look?