I've observed a discrepancy in cookie consent options between iOS 18.0 and 18.1 on some websites, such as www2.hm.com. On iOS 18.0, I see "Accept All Cookies" and "Only Required Cookies" options, whereas on iOS 18.1, the options change to "Accept All Cookies" and "Cookie Settings." I would like to understand if this behavior is related to differences in how websites detect the operating system version (iOS 18.0 vs. 18.1) or browser changes within the iOS update. Has anyone else experienced similar variations in cookie consent banners, and could this be tied to differences in the user agent or website A/B testing for different OS versions? Any insights or technical clarifications would be appreciated!

Hello, I can't figure out how to set the name of a Content Blocker in the Safari extensions list. So far, the Content Blocker name in this list is the Contaning application name. I tried to set the bundle name in Info.plist and tried to locate Info.plist, without success... Since I also bundle a Safari ("chrome") extension, I have two extensions in the list, and it would be fine to display a specific name for each to make it clear for the user.

When user opens a new tab and loads a website, the declarativeNetRequest.getMatchedRules() returns nil and on reloading in the same tab it returns the URLs blocked. Is this an expected behaviour?

Hi, I had been working on an extension without any issues, running it from Xcode and debugging locally in Safari. However, without making any code changes, and after uninstalling the extension, it stopped appearing in Safari after building for local debugging. Does anyone know what might be happening or how I can clean up the system? Thanks a lot and best regards.

Hello, Is it a normal/usual/expected practice that a Mac App Store submission of a Safari extension takes 3 weeks to review? We have submitted an update for our Safari extension on September 20. Few hours after the submission we got an update stating that the submission state changed to "In Review". Since then it was a complete silence. No updates, no visibility of progress, nothing. We tried to ask Apple Developer Support for help several times and every time got a quite generic response stating that it's still in review which is not helpful considering it takes so long. We also tried to expedite the review a couple of days with no reaction so far. So I am at a bit of a loss on how to proceed. The reason we are stressing this out in several channels is this Safari extension update brings compatibility fixes for the recently released Safari 18 and we are getting customer reports that the old version is not working with Safari 18. That was expected but the hope was that review will not take 3 weeks to complete. Any advice from Apple here or anyone else how to proceed?.. Thanks!

As of Safari 18, the tabs.executeScript extension API no longer respects the frameId option passed to it, and instead just runs the script in the top frame. Try running an extension with the following contents on a page with an iFrame (chase.com puts its login form in an iFrame for example). content.js console.log("content.js loaded", location.href); // tabs.executeScript test browser.runtime.sendMessage({ type: "tabs.executeScript" }).then(() => { console.log("tabs.executeScript done"); }); // scripting.executeScript test browser.runtime.sendMessage({ type: "scripting.executeScript" }).then(() => { console.log("scripting.executeScript done"); }); background.js browser.runtime.onMessage.addListener((request, sender, sendResponse) => { if (request.type === "tabs.executeScript") { browser.tabs .executeScript(sender.tab.id, { code: 'console.log("THIS IS RUN FROM TABS.EXECUTESCRIPT", location.href);', frameId: sender.frameId, }) .then(sendResponse); } else if (request.type === "scripting.executeScript") { browser.scripting .executeScript({ target: { tabId: sender.tab.id, frameIds: [sender.frameId] }, func: () => { console.log("THIS IS RUN FROM SCRIPTING.EXECUTESCRIPT", location.href); }, }) .then(sendResponse); } }); You'll see that tabs.executeScript runs its contents in the TOP frame, no matter what the target is. Notably, scripting.executeScript DOES respect the frameId. Filed with Feedback ID FB15420092

I'm trying to build a (personal) Safari extension, which should add an HTTP header when visiting a few websites. I'm a newbie at XCode. Using XCode, the build runs and the app runs correctly (the standard boilerplate code tells me that the extension is currently off). However, the extension doesn't appear in Safari>Settings>Extensions at all, so I cannot enable the extension. There are two warnings (warnings? or errors? fatal? or not?): NSBundle file:///System/Library/PrivateFrameworks/MetalTools.framework/ principal class is nil because all fallbacks have failed Unable to create bundle at URL ((null)): normalized URL null ...I'm brand new to XCode so I don't really know whether these errors are fatal, and how to fix them if so. These warnings appear when the app runs, not during the build cycle. The plugin appears when issuing this command in Terminal: pluginkit -mAvvv -p com.apple.Safari.web-extension ...part of that response is: podnewsllc.Podnews-Security.Extension(1.0) Path = /Users/jamescridland/Library/(snip)MyApp.appex UUID = EA41(snip)3519 Timestamp = 2024-10-06 03:54:37 +0000 SDK = com.apple.Safari.web-extension Parent Bundle = /Users/jamescridland/Library/(snip)MyApp.app Display Name = MyAppName Extension Short Name = MyAppName Extension Parent Name = MyAppName Platform = macOS ...so it's visible to Safari, but it doesn't appear in Safari>Settings>Extensions. The codesign command says: --prepared:/Users/jamescridland/(snip)__preview.dylib --validated:/Users/jamescridland/(snip)__preview.dylib --prepared:/Users/jamescridland/(snip).debug.dylib --validated:/Users/jamescridland/(snip).debug.dylib /Users/jamescridland/(snip).appex: valid on disk /Users/jamescridland/(snip).appex: satisfies its Designated Requirement ... so I think it's signed correctly. Checking "Allow unsigned extensions" does not appear to change anything. I've tried running a rebuild of LaunchServices, but that hasn't fixed it. /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -kill -r -domain local -domain system -domain user My questions are: Is there a log to help me know what is going wrong? Does anyone have any idea why I can't see the extension in Safari? What next? Sorry for the dumb question.

I have noticed that tabs.onRemoved works differently in Safari 18 comparing to other browsers and Safari 17. Open a tab e.g. apple.com Take note of the active tab id using this code: browser.tabs.query({currentWindow: true, active: true}, (x) => console.log(x[0].id)) Add a listener on onRemoved: browser.tabs.onRemoved.addListener(console.log) on the active tab, navigate to e.g. https://developer.mozilla.org Take note of the active tab id again (using the same tabs.query). Expect: there should be no console.log of onRemoved. the active tab id stays the same. Actual: there is a console.log of onRemoved. the active tab id is changed. Please help. If this is a bug introduced in Safari 18, it would break a lot of JS Web extensions.

We used declarativeNetRequest.getMatchedRules() to retrieve the blocked URLs. While we do receive a list, we noticed that the URLs captured do not always reflect the ones the content blocker is actively blocking at that moment. However, upon reloading the same page, the correct URLs appear. Screenshots are attached for your reference. First load: After reload:

I have noticed that storage.local.get API works differently in Safari 18 compare to other browsers and Safari 17. browser.storage.local.set({abc: 123}) browser.storage.local.get(console.log) // {abc: 123} browser.storage.local.get({abc: null}, console.log) // expect {abc: 123} but got undefined instead. According to MDN, storage.local.get should work with an object with object names as keys and the default value as value. According to Safari 18 Release notes, this may be related to a fix: 'Fixed getting an empty key from storage. (99440265) (FB11427769)'.

We are using declarativeNetRequest.getMatchedRules() to get the matched rules' URLs. When user switches website in the same tab, it returns URLs which were blocked in the previous website also, within past 5 minutes. Is it possible to fetch getMatchedRules() only for current webpage in the same tab?

Hi, I am developing the Click & Read web add-on for Chromium, Firefox and Safari. We use xcrun safari-web-extension-converter tool to generate the Safari add-on. The build on Xcode had no meaning errors/warnings, until we had to switch to a more up-to-date MacBook (required as deprecated Mac had no support for latest macOS and thus for Xcode compatibility !). So now I build my add-on on an Apple M1 MB Air on Sequoia 15.0 with latest Xcode, but I encounter an error ? or warning ? : NSBundle file:///System/Library/PrivateFrameworks/MetalTools.framework/ principal class is nil because all fallbacks have failed Unable to create bundle at URL ((null)): normalized URL null Unable to create bundle at URL ((null)): normalized URL null Unable to create bundle at URL ((null)): normalized URL null But it doesn't prevent the add-on build to complete as I am able to open it onto Safari. Then, when loading the add-on on a test web page, I get this error on safari console: Error: Invalid call to runtime.connect(). No runtime.onConnect listeners found. BTW, the same add-on Dist works as expected on Chrome or Firefox (on macOS). So it seems the runtime listener runtime.onConnect.addListener isn't initiated on Background script... Thanks for your feedback and help

My Safari extension has a WKWebView in the main app and an HTML popup window in Safari. For some reason, both are in dark mode on visionOS, even though the device environment is light and Safari tabs are also showing light mode. Why does this happen, and how can I change it?

So recently Intune add support for controlling safari web extension enablement using the new ddm configuration added in Macos 15, but unfortunately I can't make it work no matter what I try. On the destination machine I see the that a user declaration for safari extension has been created, but there is not details on which extension they applied and it seems faulty (See attachment) I have 2 questions: Has anyone managed to make it work? Is there a way to test this declaration like I can do with Mobile config by manually load it to the machine? Thank you.

We are encountering an issue where the Safari extension we are developing stops working while in use on relatively new iOS versions (confirmed on 17.5.1, 17.6.1, and 18). Upon checking the Safari console, the content script is displayed in the extension script, so the background script or Service Worker must be stopping. The time until it stops is about 1 minute on 17.5.1 and about one day on 17.6.1 or 18. When it stops, we would like to find a way to restart the Service Worker from the extension side, but we have not found a method to do so yet. To restart the extension, the user needs to turn off the corresponding extension in the iPhone settings and then turn it back on. As mentioned in the following thread, it is written that the above bug was fixed in 17.6, but we recognize that it has not been fixed. https://forums.developer.apple.com/forums/thread/758346 On 17.5.1, adding the following process to the background script prevents it from stopping for about the same time as on 17.6 and above. // Will be passed into runtime.onConnect for processes that are listening for the connection event const INTERNAL_STAYALIVE_PORT = "port.connect"; // Try wake up every 9S const INTERVAL_WAKE_UP = 9000; // Alive port var alivePort = null; // Call the function at SW(service worker) start StayAlive(); async function StayAlive() { var wakeup = setInterval(() => { if (alivePort == null) { alivePort = browser.runtime.connect({ name: INTERNAL_STAYALIVE_PORT }); alivePort.onDisconnect.addListener((p) => { alivePort = null; }); } if (alivePort) { alivePort.postMessage({ content: "ping" }); } }, INTERVAL_WAKE_UP); } Additionally, we considered methods to revive the Service Worker when it stops, which are listed below. None of the methods listed below resolved the issue. ① Implemented a process to create a connection again if the return value of sendMessage is null. The determination of whether the Service Worker has stopped is made by sending a message from the content script to the background script and checking whether the message return value is null as follows. sendMessageToBackground.js let infoFromBackground = await browser.runtime.sendMessage(sendParam); if (!infoFromBackground) { // If infoFromBackground is null, Service Worker should have stopped. browser.runtime.connect({name: 'reconnect'}); // ← reconnection process // Sending message again infoFromBackground = await browser.runtime.sendMessage(sendParam); } return infoFromBackground.message; Background script browser.runtime.onConnect.addListener((port) => { if (port.name !== 'reconnect') return; port.onMessage.addListener(async (request, sender, sendResponse) => { sendResponse({ response: "response form background", message: "reconnect.", }); }); ② Verified whether the service worker could be restarted by regenerating Background.js and content.js. sendMessageToBackground.js export async function sendMessageToBackground(sendParam) { let infoFromBackground = await browser.runtime.sendMessage(sendParam); if (!infoFromBackground) { executeContentScript(); // ← executeScript infoFromBackground = await browser.runtime.sendMessage(sendParam); } return infoFromBackground.message; } async function executeContentScript() { browser.webNavigation.onDOMContentLoaded.addListener((details) => { browser.scripting.executeScript({ target: { tabId: details.tabId }, files: ["./content.js"] }); }); } However, browser.webNavigation.onDOMContentLoaded.addListener was not executed due to the following error. @webkit-masked-url://hidden/:2:58295 @webkit-masked-url://hidden/:2:58539 @webkit-masked-url://hidden/:2:58539 ③ Verify that ServiceWorker restarts by updating ContentScripts async function updateContentScripts() { try { const scripts = await browser.scripting.getRegisteredContentScripts(); const scriptIds = scripts.map(script => script.id); await browser.scripting.updateContentScripts(scriptIds);//update content } catch (e) { await errorLogger(e.stack); } } However, scripting.getRegisteredContentScripts was not executed due to the same error as in 2. @webkit-masked-url://hidden/:2:58359 @webkit-masked-url://hidden/:2:58456 @webkit-masked-url://hidden/:2:58456 @webkit-masked-url://hidden/:2:58549 @webkit-masked-url://hidden/:2:58549 These are the methods we have considered. If anyone knows a solution, please let us know.

declarativeNetRequest.getMatchedRules() gives us the below error: Error retrieving tabs or matched rules: – Error: Invalid call to declarativeNetRequest.getMatchedRules(). The 'activeTab' permission has not been granted by the user for the tab. We have added the "activeTab" permissions in the manifest (version 2). And in the device Safari extension settings we see that user has given permission as "allow".

Hi, I am having issue with WebAssembly not able to load wasm file on Safari web extension. It is showing CompileError: Refused to create a WebAssembly object because 'unsafe-eval' or 'wasm-unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'wasm-unsafe-eval'". It was working fine 2 month ago, my original CPS is "script-src 'self' 'unsafe-eval'". But now it is not accepting 'unsafe-eval', I also tried 'wasm-unsafe-eval' did not work. Is there any changes on Safari browser regarding the CSP for WebAssenbly? Please let me know what CPS value will work. Here is the example code on how I load the WebAssembly wasm file. fetch('test_wasm_lib.wasm') .then(response => { if (!response.ok) throw new Error('Network response was not ok'); return response.arrayBuffer(); }) .then(bytes => WebAssembly.instantiate(bytes)) .then(results => { // Use your WebAssembly instance here console.log('load wasm success') }) .catch(error => { console.error('Error loading WASM:', error); });

It seems Safari 18's fetch() does not include credentials even credentials: include and safari extension has host_permissions for that domain. Is there anyone has this problem? I try to request in popup.js like this: const response = await fetch( url, { method: 'GET', mode: 'cors', credentials: 'include', referrerPolicy: 'no-referrer', } ); and it does not include the cookie from host_permissions. Those code worked in Safari 17 (macOS Sonoma).

I am building Safari extension. In my background script I am setting badge text and title like this: browser.action.setBadgeText({text: badgeText, tabId: tabId}); browser.action.setTitle({title: badgeText + " found images", tabId: tabId}) , where tabId is correct id of current tab. I was expecting that in this way I am setting a different badge and title for different tabs, so that badge and title would automatically switch if I activate different tab. However this does not happen, badge and title behave as if set globaly and don't change with tabs. How is this expected to work? I have also tried to set badge globally, and update it every time user switches a tab. I have set up listener like this: browser.tabs.onActivated.addListener(function(actInfo) { console.log("switched tab to " + actInfo.tabId); }); , however the event never fires, tab switch is never logged in console. Am I doing something wrong here? This is my manifest, if there was a problem with permissions or something similar. { "manifest_version": 3, "default_locale": "en", "name": "Test", "description": "Test Extension", "version": "1.0", "icons": { "48": "images/icon-48.png", "96": "images/icon-96.png", "128": "images/icon-128.png", "256": "images/icon-256.png", "512": "images/icon-512.png" }, "action": { "default_title": "a test title", "default_popup": "popup/hello.html", "default_icon": { "16": "images/toolbar-icon-16.png", "19": "images/toolbar-icon-19.png", "32": "images/toolbar-icon-32.png", "38": "images/toolbar-icon-38.png", "48": "images/toolbar-icon-48.png", "72": "images/toolbar-icon-72.png" } }, "web_accessible_resources": [ { "matches": ["*://*/*"], "resources": ["images/*", "css/*", "scripts/lib/*"] } ], "background": { "service_worker": "scripts/background.js", "type": "module" }, "content_scripts": [ { "js": [ "scripts/content.js" ], "matches": [ "http://*/*", "https://*/*" ], "css": ["css/style.css"], "run_at": "document_end" } ], "permissions": [ "nativeMessaging", "tabs" ] }

Is it possible to enable/disable the enabled flag before the extension is loaded? we want to have a button in our app which controls the availability of the content blocker ruleSet in declarative_net_request in manifest (version 2). "declarative_net_request": { "rule_resources": [ { "id": "ruleset_1", "enabled": true, "path": "ruleset_1.json" } ] },