iOS 26 introduced a significant step back for PWAs - you now need at least five taps to add a PWA to your home screen. Android has excellent PWA support - it takes 1 tap to install an app, and the platform support is great, and web apps feel amazing. The gap between the platforms has now increased even further. My team and I were hoping for better PWA support, but now we are very worried about the direction - it puts us in a difficult situation. I'm sure many developers face a similar challenge. What's the current status of PWAs in iOS? Is Apple aiming to improve its support in the near future? Is there a roadmap, tech previews, or betas addressing the issue?

I'm having issues with opening up role="link". links in wkwebview. Is there a way in my decideforpolicy to allow these links to open up in the current webview vs another window like a traditional web browser does? Thank you ahead of time.

I'm trying to use DNR to force safe search with Qwant search engine. Under certain circumstances (scenario described below) the search is performed with an API which contains the safe search level in a URL parameter. A typical query URL is https://api.qwant.com/v3/search/web?q=test&count=10&locale=fr_FR&offset=0&device=desktop&tgp=1&safesearch=0&displayed=true&llm=true. I want a DNR rule to force safesearch to be 2 (= strict) (from some javascript code) : { id: 1, priority: 1, action: { type: 'redirect', "redirect": { "transform": { "queryTransform": { "addOrReplaceParams": [{ "key": "safesearch", "value": "2" }] } } } }, condition: { "urlFilter": "api.qwant.com/v3/search", "resourceTypes": ["xmlhttprequest"] }, } When this rule is activated, I end up with a URL with the original safesearch parameter AND the forced one : https://api.qwant.com/v3/search/web?q=test&count=10&locale=fr_FR&offset=0&device=desktop&tgp=1&safesearch=0&displayed=true&llm=true&safesearch=2. To reproduce this request (with the previous DNR rule in place) : navigate to https://www.qwant.com search for some string (test in my case). This displays the list of results ; click the engine button at the top right to display the settings pane ; inspect network request performed by this page ; change the Adult filter in the list -> the results are automatically updated with the new settings. The web request shows URL with the 2 safesearch parameters. I already used addOrReplaceParams in 'standard' contexts (main_frame) and it works just fine. Any hint on what goes on ? Thank you.

Hi. I'm a developer of Tab Finder (https://apps.apple.com/us/app/tab-finder/id6741719894) My problem is that every time i switch from my first window to a second window, the tabs in the validateToolbarItem() are INcorrect on a first call, but when I switch back from the second window to my main window, the tabs are CORRECT even on a first call. To demonstrate it, i recorded a video: https://youtu.be/RwskzrSJ8u0 To run the same sample extension from the video, you can get the code from this GitHub repo: https://github.com/kopyl/test-tabs-change Its only purpose is to log URLs of an active page of all tabs. The SafariExtensionHandler's code of the sample app is very simple: import SafariServices func printOpenTabsHost(in window: SFSafariWindow) async { let tabs = await window.allTabs() log("Logging tabs for a new window: \(window.hashValue)") for tab in tabs { let page = await tab.activePage() let properties = await page?.properties() let url = properties?.url log(url?.absoluteString ?? "No URL") } } class SafariExtensionViewController: SFSafariExtensionViewController { static let shared = SafariExtensionViewController() } class SafariExtensionHandler: SFSafariExtensionHandler { override func validateToolbarItem(in window: SFSafariWindow, validationHandler: @escaping ((Bool, String) -> Void)) { Task { await printOpenTabsHost(in: window) } validationHandler(true, "") } override func popoverViewController() -> SFSafariExtensionViewController { return SafariExtensionViewController.shared } } Could you please tell if i'm missing something and how to see the actual tabs inside the overridden validateToolbarItem call of the SafariExtensionHandler (or in any other way, I'm okay with any implementation as long as it works).

Hello all, I'm building a web application in ASP.NET MVC (.NET Framework 4.7.2), from this web app I need to send push notifications to users. For the ones who are logged in with windows/android, everything works as expected, but I can't manage to get it work on the apple side. If I use the same methods to subscribe to push notifications, it shows me the popup that asks the user to enable push notifications, and then I get an endpoint like this: https://web.push.apple.com/QKC1Muic0H7... It doesn't work using this (taking the part after https://web.push.apple.com/), I keep getting "Bad device token" (trying to send the notification via APNS). Then I found out that there is another method to register the device from the frontend, and this one should give me the real device token: window.safari.pushNotification.requestPermission But this one doesn't show me the popup, it gives me "denied" without a reason. I'm trying to a test application which is here https://pwa.vctplanner.it, the web push id is web.it.vctplanner, I created a push package downloadable from POST https://pwa.vctplanner.it/api/v2/PushPackages/web.it.vctplanner, and the code from the frontend is this: function registerSafariPush() { // Controlla se Safari Push Notifications è disponibile if (!('safari' in window) || !('pushNotification' in window.safari)) { console.log("Safari Push Notifications non supportate su questo browser."); return; } // Il tuo Website Push ID registrato su Apple Developer var websitePushId = "web.it.vctplanner"; // Controlla lo stato della permission var permissionData = window.safari.pushNotification.permission(websitePushId); switch (permissionData.permission) { case 'default': // L'utente non ha ancora deciso window.safari.pushNotification.requestPermission( 'https://pwa.vctplanner.it', // URL del server che serve il Push Package websitePushId, {}, // dati opzionali da inviare al server function (permission) { if (permission.permission === 'granted') { console.log("Notifiche push abilitate!"); sendSubscriptionToServer({ endpoint: permission.deviceToken }); } else { console.log("Notifiche push non abilitate dall'utente."); } } ); break; case 'denied': // L'utente ha negato console.log("Notifiche push negate."); break; case 'granted': // L'utente ha già autorizzato console.log("Notifiche push già autorizzate."); sendSubscriptionToServer({ endpoint: permissionData.deviceToken }); break; } } Any suggestions of what I'm missing? Is there a complete guide to how generate the push package? Thank you

Having the app localised and configured to Dutch from Belgium (nl_BE), I open a url with WKWebView. The website locale detects Dutch from Netherlands (nl_NL)

Hello, We are setting up Apple Sign In in one of our non production websites but we keep getting a "oauth code says expired or revoked" error. We have created a brand new service ID and key for this but are still getting this error.

Hi there, I use the Clipboard API to create formatted project links with a "copy link" button. This has been really versatile for end users. When they paste into their email, they get a hyperlinked project name that leads to the project, and when they paste into the URL bar, they just get the project URL. It used to be that pasting into Messages on Mac would yield the same behavior as pasting into the URL bar. But recently, Messages started only pasting the inner text of the HTML clipboard, so no URL, just the project name, which isn’t very useful for a copy link function. Is there any way to ensure that Messages pastes the URL while maintaining my formatting options on other surfaces?

WebAuthn can be used in Safari, but when using it with WKWebView, you need to set the default browser definition (com.apple.developer.web-browser). Is this correct? Also, is it possible that the terms of use will change or that it will no longer be available in WKWebView in the future?

We seem to be having an issue with a webservice here which is used within our network and IOS Safari. For the service to work , we need to access it with an unencrypted HTTP API call, which acts as a trigger. The server does not respond to HTTPS requests. (the HTTP API call does not contain any data that is privacy sensitive or that can be abused) Since recently the service does not seem to work anymore properly, but this only happens with Safari and IOS. With all other browsers the service is still working normally, only with Safarai it fails. No matter what I do in the settings of the phone, the Safar browser seems to stop immediately after the HTTP request. What is going on here ?? The issue seems to occur only when you don't have an iCloud+ account. With an iCloud+ account I get the same issue when you switch Apple Private Relay on, but that make sense. When I have Apple Private Relay switched off, there is no issue.

{ "epochTimestamp": 1755169981033, "expiresAt": 1755173581033, "merchantSessionIdentifier": "SSH4ADF1D97A60B47FC8537037BE9892237_FF777A9CB5E9EDAB38A01E4EDF71CB5572F19153853DAC70ADC5AA3E75877CB4", "nonce": "b6f1e016", "merchantIdentifier": "7C52E6BFA112124092008236BE1EE49791E4E82E9082AD9AC98D55B03A088120", "domainName": "1960-ikffk.checkout.trypeppr.com", "displayName": "peppr", "signature": "308006092a864886f70d010702a0803080020101310d300b0609608648016503040201308006092a864886f70d0107010000a080308203ee30820394a00302010202080e7210e510586e34300a06082a8648ce3d040302307a312e302c06035504030c254170706c65204170706c69636174696f6e20496e746567726174696f6e204341202d20473331263024060355040b0c1d4170706c652043657274696669636174696f6e20417574686f7269747931133011060355040a0c0a4170706c6520496e632e310b3009060355040613025553301e170d3231303131303032313632395a170d3236303130393032313632395a306b3131302f06035504030c286563632d736d702d62726f6b65722d7369676e5f5543342d50524f445f4b727970746f6e5f45434331143012060355040b0c0b694f532053797374656d7331133011060355040a0c0a4170706c6520496e632e310b30090603550406130255533059301306072a8648ce3d020106082a8648ce3d0301070342000466e0ea0e787dcb3f66bc533189da2bda08ed9574e421117aa1af2cc310f6a8b19ca3e77ed00fa84e8df2ac8688e529866e76ebad89eda5b7c336e0f0d8a7d05da38202113082020d300c0603551d130101ff04023000301f0603551d2304183016801423f249c44f93e4ef27e6c4f6286c3fa2bbfd2e4b304506082b0601050507010104393037303506082b060105050730018629687474703a2f2f6f6373702e6170706c652e636f6d2f6f63737030342d6170706c65616963613330323082011d0603551d2004820114308201103082010c06092a864886f7636405013081fe3081c306082b060105050702023081b60c81b352656c69616e6365206f6e207468697320636572746966696361746520627920616e7920706172747920617373756d657320616363657074616e6365206f6620746865207468656e206170706c696361626c65207374616e64617264207465726d7320616e6420636f6e646974696f6e73206f66207573652c20636572746966696361746520706f6c69637920616e642063657274696669636174696f6e2070726163746963652073746174656d656e74732e303606082b06010505070201162a687474703a2f2f7777772e6170706c652e636f6d2f6365727469666963617465617574686f726974792f30340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e6170706c652e636f6d2f6170706c6561696361332e63726c301d0603551d0e0416041457c735942abd9ea2feccd3cbe7ede0a37c8cc5fa300e0603551d0f0101ff040403020780300f06092a864886f76364061d04020500300a06082a8648ce3d0403020348003045022100f2fa622622128cd1e1642084bc4117ccdede7289690e864cfb88abb43e04338e022065f85a90b82711d1fd762e0b59c45496e9e683c265c8279998e37872feae46ec308202ee30820275a0030201020208496d2fbf3a98da97300a06082a8648ce3d0403023067311b301906035504030c124170706c6520526f6f74204341202d20473331263024060355040b0c1d4170706c652043657274696669636174696f6e20417574686f7269747931133011060355040a0c0a4170706c6520496e632e310b3009060355040613025553301e170d3134303530363233343633305a170d3239303530363233343633305a307a312e302c06035504030c254170706c65204170706c69636174696f6e20496e746567726174696f6e204341202d20473331263024060355040b0c1d4170706c652043657274696669636174696f6e20417574686f7269747931133011060355040a0c0a4170706c6520496e632e310b30090603550406130255533059301306072a8648ce3d020106082a8648ce3d03010703420004f017118419d76485d51a5e25810776e880a2efde7bae4de08dfc4b93e13356d5665b35ae22d097760d224e7bba08fd7617ce88cb76bb6670bec8e82984ff5445a381f73081f4304606082b06010505070101043a3038303606082b06010505073001862a687474703a2f2f6f6373702e6170706c652e636f6d2f6f63737030342d6170706c65726f6f7463616733301d0603551d0e0416041423f249c44f93e4ef27e6c4f6286c3fa2bbfd2e4b300f0603551d130101ff040530030101ff301f0603551d23041830168014bbb0dea15833889aa48a99debebdebafdacb24ab30370603551d1f0430302e302ca02aa0288626687474703a2f2f63726c2e6170706c652e636f6d2f6170706c65726f6f74636167332e63726c300e0603551d0f0101ff0404030201063010060a2a864886f7636406020e04020500300a06082a8648ce3d040302036700306402303acf7283511699b186fb35c356ca62bff417edd90f754da28ebef19c815e42b789f898f79b599f98d5410d8f9de9c2fe0230322dd54421b0a305776c5df3383b9067fd177c2c216d964fc6726982126f54f87a7d1b99cb9b0989216106990f09921d00003182018930820185020101308186307a312e302c06035504030c254170706c65204170706c69636174696f6e20496e746567726174696f6e204341202d20473331263024060355040b0c1d4170706c652043657274696669636174696f6e20417574686f7269747931133011060355040a0c0a4170706c6520496e632e310b300906035504061302555302080e7210e510586e34300b0609608648016503040201a08193301806092a864886f70d010903310b06092a864886f70d010701301c06092a864886f70d010905310f170d3235303831343131313330315a302806092a864886f70d010934311b3019300b0609608648016503040201a10a06082a8648ce3d040302302f06092a864886f70d010904312204209378ff57580c3205e9ea38d985a2e9ca2db7f06db29b7560f585561a23894402300a06082a8648ce3d04030204483046022100fad47e840779070d097ef91cd4bfa5381d77426071cb38c1cdc77ff9460ba1470221009215c246893bff0983052caaae610a16117237e73ab36d859008e7b234670eaa000000000000", "operationalAnalyticsIdentifier": "peppr:7C52E6BFA112124092008236BE1EE49791E4E82E9082AD9AC98D55B03A088120", "retries": 0, "pspId": "7C52E6BFA112124092008236BE1EE49791E4E82E9082AD9AC98D55B03A088120" } This is generated in the onvalidatemerchant event handler, and passed into session.completeMerchantValidation. Using a sandbox account with linked cards, the next thing that happens is a "payment not completed" message in the ApplePay popup on the page, and the oncancel event is hit Inspecting the event, I don't see anything that hints at the issue. There is a sessionError object, but its code is "unknown" and the info object is empty.

Title: Content Overlapping Address Bar After Clicking Links in Safari, tested on iPhone 11 (iOS 18.1.1) Description: When browsing in Safari on iPhone (iOS 18.1.1), the one-tab bar (address bar) collapses as expected when scrolling down a page. However, after clicking on a link and loading the next page, the content appears to overlap the collapsed address bar. This results in parts of the content being hidden or obscured by the address bar, which affects the user experience, especially on mobile devices with limited screen space. This issue is reproducible on Next.js applications and can be observed on websites such as rotterdam.nl and halderberge.nl. Steps to Reproduce: Enable the One-Tab Bar: Go to Settings > Safari and enable the one-tab bar feature. Open the website rotterdam.nl or halderberge.nl in Safari on an iPhone 11 (iOS 18.1.1). Scroll down the page so that the top address bar collapses. Click on any link on the page to load a new one. Once the new page loads, observe that the content appears on top of the collapsed address bar, causing parts of the content to be hidden or obscured. Expected Result: The content should not overlap or be hidden behind the collapsed address bar after the page reloads. The layout should adjust properly without interference from the address bar, providing a smooth user experience. Actual Result: When the new page loads, the content overlaps or appears on top of the collapsed address bar, causing parts of the content to be hidden or obscured. Device(s) Affected: iPhone 11 running iOS 18.1.1. OS Version: iOS 18.1.1 Technical Notes: To address this issue, the following solutions have been attempted with no success: Viewport Meta Tag: <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover" /> This was added to help ensure proper layout on mobile devices, but did not resolve the issue. CSS Safe Area Insets: body { padding-top: env(safe-area-inset-top); } This CSS rule was applied to account for the safe area and prevent content from being hidden under the address bar, but it did not solve the overlapping issue. Scroll Position Adjustment (for scroll-to-top button): Adjusting the scroll behavior by changing the scroll position to {top: 1} instead of {top: 0} was a successful workaround to keep the address bar collapsed when clicking the "scroll to top" button. However, this did not resolve the issue when navigating between pages or changing routes, where the content still overlaps the collapsed address bar.

Hello, I have an authentication flow where my app communicates with a backend protected by F5 client certificate validation. The client certificate is distributed via MDM and is available in the device keychain, but not accessible directly from the app. When using ASWebAuthenticationSession (or SFSafariViewController) Safari can successfully pick up and present the certificate during authentication, so that part works fine. However, the backend’s authenticate endpoint only supports a POST request with an Authorization header, whereas ASWebAuthenticationSession only accepts a GET URL when starting the session. My questions are: How is this type of flow typically implemented in iOS? Should the backend provide a GET-based endpoint that redirects into the POST, or is there a recommended iOS pattern (e.g., an intermediate HTML page that does the POST after certificate validation)? Are there Apple guidelines on handling certificate-based auth with ASWebAuthenticationSession when the API requires POST, especially for In-House distributed apps? Any guidance or best practices would be very helpful.

We would appreciate it if you could provide the detailed flow of recurring payments and the unsubscribe process using the Apple Pay JS API, specifically in cases where the PSP decrypts the Apple Pay token before sending it to the payment gateway. Thank you very much for your kind assistance.

We would like to confirm the unsubscribe flow related to recurring payment processing. When a user unsubscribes, does your system send any notification to us? If no notification is provided, we will not be able to detect the unsubscribe event and will continue to send recurring payment requests to the gateway periodically. Would this cause any issues? We would appreciate it if you could share the specific unsubscribe flow with us. Thank you in advance for your support.

I’m encountering an issue with CSS not displaying when using WKURLSchemeHandler to load local HTML files. When I package the app using Xcode 15.3 or above, the CSS styles do not display on iOS 17 or higher. However, on iOS 16.7.1, the CSS displays correctly. • If I use Xcode 15.2 to package the app, the CSS loads and displays correctly on all iOS versions. I am using WKURLSchemeHandler to intercept and load the local HTML files. Is there any known issue or workaround for this? You can now post this in the “Safari & Web” section of the Apple Developer forums for further assistance! // // CustomURLSchemeHandler.m // HTMLTest // // Created by lvxue on 2024/9/23. // // CustomURLSchemeHandler.m #import "CustomURLSchemeHandler.h" @implementation CustomURLSchemeHandler - (void)webView:(WKWebView *)webView startURLSchemeTask:(id<WKURLSchemeTask>)urlSchemeTask { NSURL *url = urlSchemeTask.request.URL; //NSString *filePath; NSString *filePath = [[NSBundle mainBundle] pathForResource:@"index" ofType:@"html" inDirectory:@"LoaclHtml.bundle/A4"]; if ([url.lastPathComponent hasSuffix:@".css"]) { filePath = [[NSBundle mainBundle] pathForResource:@"style" ofType:@"css" inDirectory:@"LoaclHtml.bundle/A4/css"]; } else if ([url.lastPathComponent hasSuffix:@".js"]) { filePath = [[NSBundle mainBundle] pathForResource:@"yourJSFileName" ofType:@"js" inDirectory:@"LoaclHtml.bundle/A4/js"]; } NSData *htmlData = [NSData dataWithContentsOfFile:filePath]; NSString *mimeType = [self mimeTypeForPath:filePath]; NSURLResponse *response = [[NSURLResponse alloc] initWithURL:url MIMEType:mimeType expectedContentLength:htmlData.length textEncodingName:@"utf-8"]; [urlSchemeTask didReceiveResponse:response]; [urlSchemeTask didReceiveData:htmlData]; [urlSchemeTask didFinish]; } - (void)webView:(WKWebView *)webView stopURLSchemeTask:(id<WKURLSchemeTask>)urlSchemeTask { } - (NSString *)mimeTypeForPath:(NSString *)path { NSString *fileExtension = [path pathExtension]; if ([fileExtension isEqualToString:@"html"]) { return @"text/html"; } else if ([fileExtension isEqualToString:@"css"]) { return @"text/css"; } else if ([fileExtension isEqualToString:@"js"]) { return @"application/javascript"; } else if ([fileExtension isEqualToString:@"png"]) { return @"image/png"; } else if ([fileExtension isEqualToString:@"jpg"] || [fileExtension isEqualToString:@"jpeg"]) { return @"image/jpeg"; } else if ([fileExtension isEqualToString:@"gif"]) { return @"image/gif"; } return @"application/octet-stream"; } @end code-block

An Administrator account is executing safaridriver --enable but it doesn't apply to other standard user accounts and standard accounts can't enable it directly. Is this expected behavior? How can standard users make use of safaridriver?

Hi, I would like to share a finding and ask for a solution, if possible. This may be a potential bug with PointerMoveEvent on Safari on an iPad with Pencil Pro. I tested onPointerMove and onTouchMove in a <canvas> element in a React web app for freehand drawing using Mouse on a PC. Finger touch on iPad Apple pencil pro on iPad Finger touch on iPhone I was able to draw smooth curves in all cases except when using onPointerMove with Apple pencil pro on iPad. The curve drawn in this case looked like it was created using several straight-line segments. It seems like the sampling rate for PointerMoveEvent is lower than that of TouchMoveEvent on Safari I am not sure how to solve this problem or if it is an issue with Safari's interpretation of PointerEvents. Any input is greatly appreciated. Edit: It seems like https://developer.apple.com/forums/thread/689375 is related.

Hello Apple App Review Team, We are using Privy to enable sign in with Farcaster in our app. Privy is a 3rd party authentication SDK, and it currently opens the authentication URL using the system browser. Unfortunately, this behavior is handled internally by Privy and we do not have access or control to override it in order to present the sign-in flow in-app using SFSafariViewController. We understand the importance of maintaining a seamless and secure user experience, and we fully support the use of SFSafariViewController or ASWebAuthenticationSession. However, since Privy does not expose an option to change this behavior at the moment, we are limited by their current implementation. We have reached out to the Privy team requesting a change or improvement that would allow us to use SFSafariViewController instead of the external browser. In the meantime, we would appreciate your guidance on how to proceed, or whether an exception could be granted due to this 3rd party SDK limitation. Thank you for your understanding and support.

I have a website that has been built in Wordpress and hosted on wordpress engine. In testing now and on the i phone with safari browser it keeps crashing after short time 2/3 minutes, content does not display properly pages go blank etc. Has anyone experienced this /have a solution? Thanks