https://developer.apple.com/design/human-interface-guidelines/apple-pay#Displaying-a-website-icon This tells us to: If your website supports Apple Pay, provide an icon in the following sizes for use in the summary view and the payment sheet: But doesn’t tell us how to do that. Please advise what steps we need to take to make this happen. I've seen from both Stack Overflow and a developer support email that this is supposed to come from standard website "favicons", but I have these in place, and still no icon is appearing on the payment sheet. So, I guess I need a very detailed answer to exactly what name/size/shape is required. I have the following HTML in my page <head>, and the images referenced are found and do load when accessed directly: <link rel="apple-touch-icon" sizes="120x120" href="/payment/htdocs/images/logo--azmvdnow-blue-60x60@2x.png" /> <link rel="apple-touch-icon" sizes="180x180" href="/payment/htdocs/images/logo--azmvdnow-blue-60x60@3x.png" /> (An earlier, unanswered question that seems to be asking the same thing: https://developer.apple.com/forums/thread/723419 )

Typically, you can use the @@extension_id special string to reference the absolute path into the bundled resources of an extension, such as an image or a custom font, in a CSS file. However, this broke with Safari 18. Consider this section in a popup.css file: .card-icon { height: 16px; width: 20px; background-image: url(safari-web-extension://__MSG_@@extension_id__/images/card.svg); background-size: 20px 16px; } In Safari 17.4, once loaded in the browser, @@extension_id is replaced with E8BEA491-9B80-45DB-8B20-3E586473BD47, and the background-image reads as so: background-image: url(safari-web-extension://E8BEA491-9B80-45DB-8B20-3E586473BD47/images/card.svg); But as of Safari 18, the @@extension_id just collapses to an empty string, and the background-image reads as so: background-image: url(safari-web-extension:///images/card.svg); and the svg fails to load with the following error: "Failed to load resource: You do not have permission to access the requested resource." This is a regression, does to match the behavior of the other major browsers, and should be fixed. Filed with Feedback ID: FB15104807

Shape Detection is a experimental feature on Safari/WebKit and can be enabled via feature flags in preferences. Is there a way to enable it when using a WkWebView in my ios app?

I have a sample iOS app in Xcode that I run in the iOS 17.5 Simulator. It creates a WKWebView and configures a proxy via the ProxyConfiguration API, it works as expected unless the proxy tries to establish mTLS. It seems there is no way to handle the client certificate request when using a proxy. If I navigate to a page that requests mTLS without a proxy configured, it works as expected. Here is a minimal repro: #import "ViewController.h" #import &lt;WebKit/WebKit.h&gt; @import Foundation; @import WebKit; @interface ViewController () &lt;WKNavigationDelegate&gt; @property (nonatomic,strong) WKWebView* webView; @property (nonatomic, strong) WKWebViewConfiguration * webConfig; @end @implementation ViewController - (void)loadView { [super loadView]; nw_protocol_options_t tls_options = nw_tls_create_options(); sec_protocol_options_t sec_options = nw_tls_copy_sec_protocol_options(tls_options); sec_protocol_options_set_challenge_block( sec_options, ^(sec_protocol_metadata_t metadata, sec_protocol_challenge_complete_t challenge_complete) { NSLog(@"Inside of challenge block"); challenge_complete(nil); }, dispatch_get_main_queue()); nw_endpoint_t proxy_endpoint = nw_endpoint_create_host(GetHost(), GetPort()); nw_relay_hop_t relay = nw_relay_hop_create(nil, proxy_endpoint, tls_options); nw_proxy_config_t proxy_config = nw_proxy_config_create_relay(relay, nil); nw_proxy_config_add_match_domain(proxy_config, "api.ipify.org"); self.webConfig = [[WKWebViewConfiguration alloc] init]; self.webConfig.websiteDataStore = [WKWebsiteDataStore nonPersistentDataStore]; self.webConfig.websiteDataStore.proxyConfigurations = @[ proxy_config ]; self.webView = [[WKWebView alloc] initWithFrame:self.view.frame configuration:self.webConfig]; self.webView.navigationDelegate = self; [self.view addSubview:self.webView]; } - (void)viewDidLoad { [super viewDidLoad]; NSLog(@"%s",__func__); NSURL* url = [[NSURL alloc] initWithString:@"https://api.ipify.org"]; NSURLRequest* request = [[NSURLRequest alloc] initWithURL:url]; [self.webView loadRequest:request]; } - (void)webView:(WKWebView *)webView didStartProvisionalNavigation:(WKNavigation *)navigation { NSLog(@"%s",__func__); } - (void)webView:(WKWebView *)webView didFailProvisionalNavigation:(WKNavigation *)navigation withError:(NSError *)error { NSLog(@"%s. Error %@",__func__,error); } - (void)webView:(WKWebView *)webView didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler { NSLog(@"%s",__func__); NSLog(@"protection space: %@", challenge.protectionSpace.authenticationMethod); completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil); } @end The logs for this code show: -[ViewController viewDidLoad] -[ViewController webView:didStartProvisionalNavigation:] -[ViewController webView:didFailProvisionalNavigation:withError:]. Error Error Domain=NSURLErrorDomain Code=-1206 "The server “api.ipify.org” requires a client certificate." If we don't set up the ProxyConfiguration and navigate to a site that requires mTLS, the logs look like this: -[ViewController viewDidLoad] -[ViewController webView:didReceiveAuthenticationChallenge:completionHandler:] protection space: NSURLAuthenticationMethodServerTrust -[ViewController webView:didReceiveAuthenticationChallenge:completionHandler:] protection space: NSURLAuthenticationMethodClientCertificate -[ViewController webView:didStartProvisionalNavigation:] //... Eventually the request fails but the key difference is that didReceiveAuthenticationChallenge was invoked. When using the ProxyConfiguration neither that function nor the block we set via sec_protocol_options_set_challenge_block were run. I also tried to provide the client identity via sec_protocol_options_set_local_identity to no avail, and I've tried configuring these options too but they had no effect sec_protocol_options_add_tls_application_protocol(sec_options, "h2"); sec_protocol_options_set_max_tls_protocol_version(sec_options, tls_protocol_version_TLSv13); sec_protocol_options_set_peer_authentication_required(sec_options, true); Am I missing something? Or is this a bug in the ProxyConfiguration API?

We are going through the process of changing the name of our organization in the Apple Developer Program due to a organization legal entity change. We provide Apple Pay mass enablement certificates to our clients (Apple Pay Merchant Identity and Apple Pay Payment Processing). Since the organization name is embedded into the certificate as part of the Subject, my question is: Will changing the organization name invalidate the existing certificates in any way? Or cause issues when renewing the certificates?

My app Frax has long used a mechanism where a local webpage calls out to web-hosted content. In iOS 17.5+ (and iOS 18 beta) this has recently stopped working. The content fails to load, and the console log (running on iOS 17.6.1) contains: nw_application_id_create_self NECP_CLIENT_ACTION_GET_SIGNED_CLIENT_ID [80: Authentication error] Failed to resolve host network app id followed shortly by: Error acquiring assertion: <Error Domain=RBSServiceErrorDomain Code=1 "((target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.rendering AND target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.networking AND target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.webcontent))" UserInfo={NSLocalizedFailureReason=((target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.rendering AND target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.networking AND target is not running or doesn't have entitlement com.apple.developer.web-browser-engine.webcontent))}> 0x128024480 - ProcessAssertion::acquireSync Failed to acquire RBS assertion 'XPCConnectionTerminationWatchdog' for process with PID=9736, error: (null) This same code has worked reliably for years, and continues to work properly under iOS 16 and earlier. But there are increasing reports of this new error showing up around the web. Nothing in recent iOS 17 release notes sheds any light on what might have changed, and all my efforts to troubleshoot or mitigate this issue have failed. Any help on how to solve or work around this would be greatly appreciated!

Hello! We have been testing the upcoming Safari 18 on macOS 15 Sequoia betas and noticed one inconsistent detail about Safari Web Extensions support compared to other browser which implement Web Extensions (Chrome, Edge, Firefox). Background We have a Safari Web extension which is monitoring navigation events using browser.tabs.onUpdated API. navigation event subscription code sample browser.tabs.onUpdated.addListener((tabId, changeInfo, details) => { onTabUpdated(tabId, changeInfo, details) }); navigation event handling code sample onTabUpdated(tabId, changeInfo, details) { console.log(`onTabUpdated: ${tabId}`, changeInfo, details); // check URL in the tab for safety } }); If the extension detects that the user navigates to an unsafe URL, it redirects the user to a page hosted by the extension. It's an HTML resource from the extension bundle. The extension is using browser.tabs.update API to redirect a specific tab to an internal page. const internalPage = browser.runtime.getURL("popup.html"); browser.tabs.update(tabId, { url: internalPage }); Discovered problem When we use browser.tabs.update API browser.tabs.update(tabId, { url: internalPage }); to redirect the user from an unsafe page, we notice that the redirected tab changes its identifier. We know that is the case because we see another API firing. It's called browser.tabs.onReplaced. We have a similar subscription for those events. When the page is redirected, the onTabReplaced handler is firing and informs us about the tab ID change after the redirect. onTabReplaced(addedTabId, removedTabId) { console.log(`onTabReplaced: ${removedTabId} -> ${addedTabId}`); } This is problematic for us in several ways: The extension keeps track of the tab ID so that when the embedded HTML page is loaded, it can still tell the user about the original URL that was blocked. The behavior observed in Safari 18 breaks current expectations of our code and breaks the functionality of our extension. This behavior is specific to Safari 18. Safari 17 does not behave this way which means that we will need to deploy an update to our Safari extension to mitigate that bug on the upcoming Safari version. Moreover, this behavior is not observed in other browsers which implement Web Extensions standard (Chrome, Edge, Firefox). All these browsers preserve the tab ID after redirect. That is a problem for us as we run the same code in all 4 browsers that we support. This will cause increase of code complexity to cover Safari as an exception out of common rule. Environment Safari version 18.0 (20619.1.26.31.6) and all prior Safari 18 betas. issue does not happen on Safari 17. macOS 15 beta 8 (24A5331b) and all prior macOS 15 betas. issue has been successfully reproduced on macOS 14 with Safari 18 betas which points to the fact that the issue is not exclusive to macOS 15. Safari 18 brings the faulty logic. The issue has been confirmed and reproduced in a sample Xcode prowejt provided by Apple called "Sea Creator". So the issue is not specific to a single extension. Feedback case FB14975378. It contains sample code, the full Xcode project, screenshots and sysdiagnose. Any advice or assistance is highly appreciated!

I'm developing a ScreenSaverView which uses WKWebview internally. This screensaver responsds to mouse events, and I'm using a helper app which is granted Accessibility permissions to watch mouseEvents and then serializes them to the Screen Saver, where they are recreated and send to the WKWebView. This all works fine - the WKWebView can respond to mouseDown, mouseUp, MouseDrag, scrollWheel (etc.) events. The one exception is that mouseMoved events are ignored. I see a similar issue posted here: https://stackoverflow.com/questions/17057254/when-webview-is-added-to-a-specific-view-in-nswindow-hover-stops-working-how?rq=2 but that's from 2016 so not sure if it's relevant. Things I've tried: adding a NSTrackingArea to the WKWebView setting the parent NSWindow.acceptsMouseEvents = true

We have an iOS Safari extension currently distributed via Testflight. I’ve noticed that after an indeterminate period of time (sometimes days, sometimes weeks) our safari extension will stop working. It will need to be turned on again from the system general -> safari -> extensions menu. This is occurring on both iPhones and iPads running 17.6.1. Is there any condition that will cause the system to disable a safari extension, requiring the user to reopen iOS settings to re-enable?

Hello there, We are having a problem when trying to repdorucir videos with videojs in a webview on devices with iOS older than 17.4. When playing them you see that the player restarts several times until crashing the webview. This are the xcode logs when this happens: Error acquiring assertion: <Error Domain=RBSServiceErrorDomain Code=1 "(originator doesn't have entitlement com.apple.runningboard.assertions.webkit AND originator doesn't have entitlement com.apple.multitasking.systemappassertions)" UserInfo={NSLocalizedFailureReason=(originator doesn't have entitlement com.apple.runningboard.assertions.webkit AND originator doesn't have entitlement com.apple.multitasking.systemappassertions)}> 0x114029980 - ProcessAssertion::acquireSync Failed to acquire RBS assertion 'WebKit Media Playback' for process with PID=64167, error: Error Domain=RBSServiceErrorDomain Code=1 "(originator doesn't have entitlement com.apple.runningboard.assertions.webkit AND originator doesn't have entitlement com.apple.multitasking.systemappassertions)" UserInfo={NSLocalizedFailureReason=(originator doesn't have entitlement com.apple.runningboard.assertions.webkit AND originator doesn't have entitlement com.apple.multitasking.systemappassertions)} 0x1140180c0 - [PID=64164] WebProcessProxy::didClose: (web process 0 crash) 0x1140180c0 - [PID=64164] WebProcessProxy::processDidTerminateOrFailedToLaunch: reason=Crash

After iOS 17.4, Passkey Autofill stopped working inside ASWebAuthenticationSession. iOS 17.5 re-enabled users to pick passkeys if they tap "🔑" icon on right bottom of keyboard and opened Safari password manager. However, it still doesn't recommend passkeys on the first view. Even on the latest iOS 18.0 developer beta, the behaviour is not fixed yet.

App / Universal Linking works fine on the "normal" web browser (applies to chrome and safari) however once the page is accessed via "incognito/private" modes app / universal linking redirects the user to the app store instead of the installed application. TLDR: App / Universal Linking doesn't work properly on "Incognito" Mode

Can not select anything within WkWebView editor view of my MacCatalyst app when running on macOS 14 Sonoma. Any selection gesture or command key fails to select anything in content editable WKWebView, so none of the Editor tools can be activated. My application uses the nnhubbard / ZSSRichTextEditor WKWebView-based Rich Text Editor: https://github.com/nnhubbard/ZSSRichTextEditor. The app is built with Xcode 15.0 or 15.0.1. The app is a Catalyst app that implements an editor view with a ZSSRichTextEditor WKWebView. The problem does not occur if the the app is run in iOS or macOS 11, 12, or 13 (Catalina, Monterey, or Ventura.) The issue only occurs in macOS 14 Sonoma.

Unable to create a cookie using WebKit API or manually create a cookie in Safari with SameSite=None on a device using iPadOS 18 beta. In Safari, the None option is still in the drop down as a selection for SameSite which leads me to believe this is a bug. Is this going to be fixed in the release version of iOS 18?

Hey, Im trying to utilize the new DDM features introduce in Safari 18 & macOS 15 and enabling extension using my MDM (Intune in my case). For some reason, it doesn't seems to work on my mac machine running macOS 15 beta. Intune support claims that everything is configured as it should on their end, and there is a problem with device or configuration. I used Apple documentation and the configuration YAML in apple device management repo So I don't really sure what I am missing. Has someone managed to make it work using MDM (intune, jamf, etc')? And if so can he shared the configuration? Thanks.

Hey everyone, Back in 2022 and 2023, we noticed that some images on our web pages would disappear randomly. After refreshing, some of the images that were missing would appear, but then another image would go missing. Did anyone else experience this issue? Is there a fix / workaround I can use? This only seems to be an issue on iOS devices and images that have the loading=“lazy” attribute.

iOS 18 beta have issue when we load html string having secure media remote images those are unable to load on web view. shing question mark in place of images.

Check the attached screenshot, web inspector shows the right element size and position, but Safari renders it in a wrong place. The element reacts on mouse events also correctly - according to its real position. Here you can find the live example https://3dflipbook.net/css-layer-highlight This is a regression issue, it was working fine in 15.6. Bug tracker: https://bugs.webkit.org/show_bug.cgi?id=278898 Please fix the issue.

version: iOS 16.4(20E5239a) both on my iphone and Simulator，Safari -> develop shows "no inspectable applications"

I shield a web domain picked by users like this (discouragedSelections is an instance of FamilyActivitySelection() btw) : let webDomainTokens = discouragedSelections.webDomainTokens store.shield.webDomains = webDomainTokens The domain is correcly shielded and I can see the restricted screen when I access it via Safari. When I tap on the main button of that restricted view, I receive a different token than the one I got from .webDomainTokens from the code above. Why? override func handle(action: ShieldAction, for webDomain: WebDomainToken, completionHandler: @escaping (ShieldActionResponse) -> Void) { // webDomain here is different from the one in store.shield.webDomains }