Mozilla is planning for the day when Apple will no longer require its competitors to use the WebKit browser engine in iOS. From a report: Mozilla conducted similar experiments that never went anywhere years ago but in October 2022 posted an issue in the GitHub repository housing the code for the iOS version of Firefox that includes a reference to GeckoView, a wrapper for Firefox's Gecko rendering engine. Under the current Apple App Store Guidelines, iOS browser apps must use WebKit. So a Firefox build incorporating Gecko rather than WebKit currently cannot be distributed through the iOS App Store.

As we reported last week, Mozilla is not alone in anticipating an iOS App Store regime that tolerates browser competition. Google has begun work on a Blink-based version of Chrome for iOS. The major browser makers -- Apple, Google, and Mozilla -- each have their own browser rendering engines. Apple's Safari is based on WebKit; Google's Chrome and its open source Chromium foundation is based on Blink (forked from WebKit a decade ago); and Mozilla's Firefox is based on Gecko. Microsoft developed its own Trident rendering engine in the outdated Internet Explorer and a Trident fork called EdgeHTML in legacy versions of Edge but has relied on Blink since rebasing its Edge browser on Chromium code.

9to5Mac is reporting that Apple pulled the Damus app from its App Store in China on Thursday, "with the developers being informed that the Nostr app 'includes content that is illegal in China.'" Apple rejected the app multiple times, applying the app review guidelines that would apply to a social networking service. In reality, all Damus does is provide access to Nostr feeds, so it would be more accurate to consider it akin to a web browser, with the developers having no control over, or responsibility for, the content of those feeds. Damus finally made it into the App Store this week.

Apple has now pulled Damus from the App Store in China. Damus developer William Casarin posted a screengrab of the notice, which claimed it included illegal content....

The app doesn't contain any content at all. It would be like banning Safari because it can be used to access the websites of terrorist organizations.

An anonymous reader shares a report: When Safari users in Hong Kong recently tried to load the popular code-sharing website GitLab, they received a strange warning instead: Apple's browser was blocking the site for their own safety. The access was temporarily cut off thanks to Apple's use of a Chinese corporate website blacklist, which resulted in the innocuous site being flagged as a purveyor of misinformation. Neither Tencent, the massive Chinese firm behind the web filter, nor Apple will say how or why the site was censored. The outage was publicized just ahead of the new year. On December 30, 2022, Hong Kong-based software engineer and former Apple employee Chu Ka-cheong tweeted that his web browser had blocked access to GitLab, a popular repository for open-source code. Safari's "safe browsing" feature greeted him with a full-page "deceptive website warning," advising that because GitLab contained dangerous "unverified information," it was inaccessible. Access to GitLab was restored several days later, after the situation was brought to the company's attention.

The warning screen itself came courtesy of Tencent, the mammoth Chinese internet conglomerate behind WeChat and League of Legends. The company operates the safe browsing filter for Safari users in China on Apple's behalf -- and now, as the Chinese government increasingly asserts control of the territory, in Hong Kong as well. Apple spokesperson Nadine Haija would not answer questions about the GitLab incident, suggesting they be directed at Tencent, which also declined to offer responses. The episode raises thorny questions about privatized censorship done in the name of "safety" -- questions that neither company seems interested in answering: How does Tencent decide what's blocked? Does Apple have any role? Does Apple condone Tencent's blacklist practices?

Mozilla recently fixed a bug that was first reported 18 years ago in Firebox 1.0, reports How-to Geek: Bug 290125 was first reported on April 12, 2005, only a few days before the release of Firefox 1.0.3, and outlined an issue with how Firefox rendered text with the ::first-letter CSS pseudo-element. The author said, "when floating left a :first-letter (to produce a dropcap), Gecko ignores any declared line-height and inherits the line-height of the parent box. [...] Both Opera 7.5+ and Safari 1.0+ correctly handle this."

The initial problem was that the Mac version of Firefox handled line heights differently than Firefox on other platforms, which was fixed in time for Firefox 3.0 in 2007. The issue was then re-opened in 2014, when it was decided in a CSS Working Group meeting that Firefox's special handling of line heights didn't meet CSS specifications and was causing compatibility problems. It led to some sites with a large first letter in blocks of text, like The Verge and The Guardian, render incorrectly in Firefox compared to other browsers.

The issue was still marked as low priority, so progress continued slowly, until it was finally marked as fixed on December 20, 2022. Firefox 110 should include the updated code, which is expected to roll out to everyone in February 2023.

Speedometer 3 will be a "cross-industry collaborative effort" from the Chrome, Safari and Firefox makers to create a new model that balances the companies' visions for measuring responsiveness. Engadget reports: Three companies making a tool that will rate the effectiveness of their competing products sounds like a recipe for disaster. However, Speedometer's governance policy includes a consent system that differs based on potential ramifications. For example, significant changes will require approval from the other two companies, while "non-trivial changes" will need consent from one of the other two parties. Meanwhile, "trivial changes" can be green-lit by a reviewer from any of the three browser makers. The policy's aim is that "the working team should be able to move quickly for most changes, with a higher level of process and consensus expected based on the impact of the change."

The project will follow Speedometer 2, the current de facto benchmark developed by Apple's WebKit team. The Speedometer 3 project is still in its infancy, and its GitHub page warns that it is "in active development and is unstable." The groups recommend using Speedometer 2.1 until development is further along, though we don't yet know when Speedometer 3 will be ready.

A new feature in Firefox version 108 that may please musicians is the improved support for the Web MIDI API. "The MIDI standard is very close to a remarkable 40 years old, and Web MIDI does just what the name implies: it allows web apps to send and receive MIDI signals to and from musical instruments," reports The Register. "In principle this will allow sequencer apps to be implemented in Javascript." From the report: Amusingly, the last time The Reg mentioned Web MIDI, it was because Apple was taking it off Safari users, allegedly because of security concerns. Firefox 108 addresses that with a new security mechanism for preventing, and optionally permitting, apps inside browser tabs to access hardware resources -- in this instance, your MIDI ports. No, this does not mean that you can listen to CANYON.MID directly within Firefox. .MID files are not the same as General MIDI. But if you are nostalgic for that for some reason, help is at hand. A full list of features and changes can be found here.

An anonymous reader quotes a report from TechCrunch: Apple has confirmed that an iPhone software update it released two weeks ago fixed a zero-day security vulnerability that it now says was actively exploited. The update, iOS 16.1.2, landed on November 30 and rolled out to all supported iPhones -- including iPhone 8 and later -- with unspecified "important security updates."

In a disclosure to its security updates page on Tuesday, Apple said the update fixed a flaw in WebKit, the browser engine that powers Safari and other apps, which if exploited could allow malicious code to run on the person's device. The bug is called a zero-day because the vendor is given zero days notice to fix the vulnerability. Apple said security researchers at Google's Threat Analysis Group, which investigates nation state-backed spyware, hacking and cyberattacks, discovered and reported the WebKit bug.

Apple said in its Tuesday disclosure that it is aware that the vulnerability was exploited "against versions of iOS released before iOS 15.1," which was released in October 2021. As such, and for those who have not yet updated to iOS 16, Apple also released iOS and iPadOS 15.7.2 to fix the WebKit vulnerability for users running iPhones 6s and later and some iPad models. The bug is tracked as CVE-2022-42856, or WebKit 247562. It's not clear for what reason Apple withheld details of the bug for two weeks.

Apple plans to expand its Communication Safety features, which aim to disrupt the sharing of child sexual abuse material at the source. From a report: In August 2021, Apple announced a plan to scan photos that users stored in iCloud for child sexual abuse material (CSAM). The tool was meant to be privacy-preserving and allow the company to flag potentially problematic and abusive content without revealing anything else. But the initiative was controversial, and it soon drew widespread criticism from privacy and security researchers and digital rights groups who were concerned that the surveillance capability itself could be abused to undermine the privacy and security of iCloud users around the world. At the beginning of September 2021, Apple said it would pause the rollout of the feature to "collect input and make improvements before releasing these critically important child safety features." In other words, a launch was still coming. Now the company says that in response to the feedback and guidance it received, the CSAM-detection tool for iCloud photos is dead.

Instead, Apple told WIRED this week, it is focusing its anti-CSAM efforts and investments on its "Communication Safety" features, which the company initially announced in August 2021 and launched last December. Parents and caregivers can opt into the protections through family iCloud accounts. The features work in Siri, Apple's Spotlight search, and Safari Search to warn if someone is looking at or searching for child sexual abuse materials and provide resources on the spot to report the content and seek help. Additionally, the core of the protection is Communication Safety for Messages, which caregivers can set up to provide a warning and resources to children if they receive or attempt to send photos that contain nudity. The goal is to stop child exploitation before it happens or becomes entrenched and reduce the creation of new CSAM.

whoever57 writes: Would you trust your communications to a company that has links to a spyware company and claims that its address is a UPS store in Toronto? You probably already do. Washington Post reports: An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews. Google's Chrome, Apple's Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what's known as a root certificate authority, a powerful spot in the internet's infrastructure that guarantees websites are not fake, guiding users to them seamlessly.

The company's Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade. One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics. Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it. whoever57 has also shared a unpaywalled link to the story.

It's a major Apple update day, as the company is rolling out new versions of its iPhone, iPad and Mac operating systems. While iPhone users at large have already had a taste of iOS 16, this will be the first time that most folks will get their hands on iPadOS 16 and macOS Ventura. From a report: Apple delayed the release of iPadOS 16 amid reports suggesting it needed more time to polish up the Stage Manager multitasking feature (which we felt was unrefined in an early iPadOS 16 beta). In fact, Apple said it was skipping a public release of iPadOS 16 and going straight to version 16.1 -- just in time for the company's latest iPad Pro and entry-level iPad shipping this week.

The latest version of the iPad operating system will include many of the same updates as iOS 16, including significant changes to Mail, Safari, Messages and other key apps. There are more collaboration-centric features, while the Weather and Clock apps are finally coming to iPad. External display support for Stage Manager will arrive within the next couple of months. Also later this year, Apple will release a collaborative productivity iPad app called Freeform. It seems like a souped-up whiteboard where users can sketch out ideas with Apple Pencil. The company says you'll be able to attach just about any kind of file to the canvas, including images, videos, audio, PDFs, documents and URLs, and preview the content inline.

The next versions of macOS and iPadOS will be released to the general public on October 24, Apple announced today. From a report: The iPadOS 16 update runs on all iPad Pros, the 5th-generation iPad and later, the fifth-generation iPad mini and later, and the 3rd-generation iPad Air and later, dropping support for the venerable iPad Air 2 and a handful of other models (it will also ship on all the new iPads Apple announced today). The macOS Ventura update generally requires a Mac released in 2017 or later, dropping support for various models released between 2013 and 2016. Both updates will enable some iOS 16 features on iPads and Macs, including editing and deletion of iMessages, better search in Mail, passkey support in Safari, and a new large-screened Weather app and redesigned Home app, improved gamepad support, and more. Both also include a version of the Stage Manager window management feature, and Ventura includes a redesigned System Settings app.

Android Developers Blog: Passkeys are a significantly safer replacement for passwords and other phishable authentication factors. They cannot be reused, don't leak in server breaches, and protect users from phishing attacks. Passkeys are built on industry standards and work across different operating systems and browser ecosystems, and can be used for both websites and apps. Passkeys follow already familiar UX patterns, and build on the existing experience of password autofill. For end-users, using one is similar to using a saved password today, where they simply confirm with their existing device screen lock such as their fingerprint. Passkeys on users' phones and computers are backed up and synced through the cloud to prevent lockouts in the case of device loss. Additionally, users can use passkeys stored on their phone to sign in to apps and websites on other nearby devices.

Today's announcement is a major milestone in our work with passkeys, and enables two key capabilities: Users can create and use passkeys on Android devices, which are securely synced through the Google Password Manager. Developers can build passkey support on their sites for end-users using Chrome via the WebAuthn API, on Android and other supported platforms. To try this today, developers can enroll in the Google Play Services beta and use Chrome Canary. Both features will be generally available on stable channels later this year. Our next milestone in 2022 will be an API for native Android apps. Passkeys created through the web API will work seamlessly with apps affiliated with the same domain, and vice versa. The native API will give apps a unified way to let the user pick either a passkey or a saved password. Seamless, familiar UX for both passwords and passkeys helps users and developers gradually transition to passkeys.

For the end-user, creating a passkey requires just two steps: (1) confirm the passkey account information, and (2) present their fingerprint, face, or screen lock when prompted. Signing in is just as simple: (1) The user selects the account they want to sign in to, and (2) presents their fingerprint, face, or screen lock when prompted. A passkey on a phone can also be used to sign in on a nearby device. For example, an Android user can now sign in to a passkey-enabled website using Safari on a Mac. Similarly, passkey support in Chrome means that a Chrome user, for example on Windows, can do the same using a passkey stored on their iOS device. Since passkeys are built on industry standards, this works across different platforms and browsers - including Windows, macOS and iOS, and ChromeOS, with a uniform user experience.

Apple is advising iOS and iPadOS users to update to the latest software version to patch two security holes that could allow an application to execute arbitrary code with kernel privileges. They also issued a patch for WebKit, the browser that powers Safari and all third-party browsers on iOS. For this vulnerability, Apple says that "processing maliciously crafted web content may lead to arbitrary code execution."

"With two major security fixes, we recommend all iPhone users update to iOS 15.6.1 immediately and all iPad users update to iPadOS 15.6.1," writes Chance Miller via 9to5Mac. "You can do so by heading to the Settings app, choosing General, then choosing Software Update."

Meta, the owner of Facebook and Instagram, has been rewriting websites its users visit, letting the company follow them across the web after they click links in its apps, according to new research from an ex-Google engineer. The Guardian reports: The two apps have been taking advantage of the fact that users who click on links are taken to webpages in an "in-app browser," controlled by Facebook or Instagram, rather than sent to the user's web browser of choice, such as Safari or Firefox. "The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers," says Felix Krause, a privacy researcher who founded an app development tool acquired by Google in 2017.

Krause discovered the code injection by building a tool that could list all the extra commands added to a website by the browser. For normal browsers, and most apps, the tool detects no changes, but for Facebook and Instagram it finds up to 18 lines of code added by the app. Those lines of code appear to scan for a particular cross-platform tracking kit and, if not installed, instead call the Meta Pixel, a tracking tool that allows the company to follow a user around the web and build an accurate profile of their interests. The company does not disclose to the user that it is rewriting webpages in this way. No such code is added to the in-app browser of WhatsApp, according to Krause's research. [...] It is unclear when Facebook began injecting code to track users after clicking links. "We intentionally developed this code to honor people's [Ask to track] choices on our platforms," a Meta spokesperson told The Guardian in a statement. "The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels."

They added: "For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill."

Apple introduced a security tool for iPhone, iPad and Mac devices that is designed to prevent targeted cyberattacks on high-profile users such as activists, journalists and government officials. From a report: The optional feature, called Lockdown Mode, will offer "extreme" protection for a "very small number of users who face grave, targeted attacks," Apple said Wednesday in a statement. The tool vastly reduces the number of physical and digital ways for an attacker to hack a user's device. Apple said the feature is aimed primarily at trying to combat attacks from "spyware" sold by NSO Group and other companies, particularly to state-sponsored groups.

[...] Lockdown Mode will affect the Messages app, FaceTime, Apple online services, configuration profiles, the Safari web browser and wired connections. With the tool in place, the Messages app will block attachments other than images and disable link previews. Those are two common mechanisms that hackers use to infiltrate devices remotely. The web browser, another frequent conduit for hackers, will also be severely limited, with restrictions on certain fonts, web languages and features involving reading PDFs and previewing content. In FaceTime, users won't be able to receive calls from an individual that they haven't previously called within the preceding 30 days.

Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers. The Register reports: Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway. "For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."

However, Eich argues this is disingenuous because DuckDuckGo also includes exceptions that allow Microsoft trackers to circumvent third-party cookie blocking via appended URL parameters. "Trackers try to get around cookie blocking by appending identifiers to URL query parameters, to ID you across sites," he explained. DuckDuckGo is aware of this, Eich said, because its browser prevents Google, Facebook, and others from appending identifiers to URLs in order to bypass third-party cookie blocking. "[DuckDuckGo] removes Google's 'gclid' and Facebook's 'fbclid'," Eich said. "Test it yourself by visiting https://example.org/?fbclid=sample in [DuckDuckGo]'s macOS browser. The 'fbclid' value is removed." "However, [DuckDuckGo] does not apply this protection to Microsoft's 'msclkid' query parameter," Eich continued. "[Microsoft's] documentation specifies that 'msclkid' exists to circumvent third-party cookie protections in browsers (including in Safari's browser engine used by DDG on Apple OSes)." Eich concluded by arguing that privacy-focused brands need to prioritize privacy. "Brave categorically does not and will not harm user privacy to satisfy partners," he said.

A spokesperson for DuckDuckGo characterized Eich's conclusion as misleading. "What Brendan seems to be referring to here is our ad clicks only, which is protected in our agreement with Microsoft as strictly non-profiling (private)," a company spokesperson told The Register in an email. "That is these ads are privacy protected and how he's framed it is ultimately misleading. Brendan, of course, kept the fact that our ads are private out and there is really nothing new here given everything has already been disclosed." In other words, allowing Bing to append its identifier to URLs enables Bing advertisers to tell whether their ad produced a click (a conversion), but not to target DuckDuckGo browser users based on behavior or identity.

DuckDuckGo's spokesperson pointed to Weinberg's attempt to address the controversy on Reddit and argued that DuckDuckGo provides very strong privacy protections. "This is talking about link tracking which no major browser protects against (see https://privacytests.org/), however we've started protecting against link tracking, and started with the primary offenders (Google and Facebook)," DuckDuckGo's spokesperson said. "To note, we are planning on expanding this to more companies, including Twitter, Microsoft, and more. We are not restricted from this and will be doing so."

It's finally happening. Microsoft will be ending support for most versions of its Internet Explorer (IE) 11 browser on June 15. ZDNet: Microsoft announced more than a year ago that IE would be removed from most versions of Windows 10 this year and has spent months encouraging customers to get ready by proactively retiring the browser from their organizations. IE 11 will be retired for Windows 10 client SKUs (version 20H2 and later) and Windows 10 IoT (version 20H2 and later). Products not affected by this retirement include IE Mode in Edge; IE 11 desktop on Windows 8.1, Windows 7 (with Extended Security Updates), Windows Server LTSC (all versions), Windows Server 2022, Windows 10 client LTSC (all versions), Windows 10 IoT LTSC (all versions). The IE 11 desktop app is not available on Windows 11, as Edge is the default browser for Windows 11. IE Mode in Microsoft Edge will be supported through at least 2029 to give web developers eight years to modernize legacy apps and eventually remove the need for IE mode, officials have said. According to Net Applications, a web monitoring tool, Internet Explorer still has a market share of 5.21% on desktops and laptops, far behind Chrome at over 69%, to be sure, but still ahead of Apple's Safari, which commands 3.73% market share.

The UK's Competition and Markets Authority (CMA) has concluded that Google and Apple "hold all the cards" when it comes to mobile phones a year after taking a closer look at their "duopoly." It's now consulting on the launch of a market investigation into the tech giants' market power in mobile browsers, as well as into Apple's cloud gaming restrictions. From a report: In addition, the CMA has launched a separate investigation into Google's Play Store rules -- the one that requires certain app developers to use the tech giant's payment system for in-app purchases, in particular. The CMA has concluded after its year-long study that the tech giants do indeed exhibit an "effective duopoly" on mobile ecosystems. A total of 97 percent of all mobile web browsing in the UK is powered by Apple's and Google's browser engines. iPhones and Android devices typically come with Safari and Chrome pre-installed, which means their browsers have the advantage from the start. Further, Apple requires developers to make sure their iOS and iPadOS apps are using its WebKit engine to browse the web. That limits the incentives Apple may have to invest in Safari, the CMA said.

As expected, Apple has used the stage at its WWDC 2022 keynote to reveal the features and changes coming to macOS in the next major software update for the platform, macOS 13 Ventura. From a report: Ventura's headlining feature is a new multitasking interface called Stage Manager. It's being billed as a way to fight window clutter on a busy desktop -- enter Stage Manager mode, and one of your windows floats to the center of the screen, pushing your other windows into a compressed navigation column on the left of the screen. Click a different app window on the left, and it will fly to the center of the screen, knocking the app you were using before into the navigation column. Spotlight also gets some handy quality-of-life updates, adding the ability to Quick Look search results directly from the Spotlight window, and the ability to run Shortcuts from within Spotlight.

Safari picks up the ability to share groups of tabs with other users, letting all users add and remove tabs. The browser is also adding a FIDO-compliant security technology called PassKeys, which aim to replace passwords with cryptographically generated keys that sync between devices using iCloud Keychain. Sites that support PassKeys can be opened using TouchID or FaceID. Apple's cross-device Continuity features were also updated. FaceTime calls can be handed off seamlessly between different Macs and iDevices, while Continuity Camera allows you to use an iPhone as a webcam (your iPhone's LED can even be used as a makeshift ring light). Continuity Camera supports Center Stage and Portrait Mode effects, too, though presumably they will require newer iPhones with hardware that supports those features.

An anonymous reader quotes a report from Ars Technica: Apple's Safari web browser has more than 1 billion users, according to an estimate by Atlas VPN. Only one other browser has more than a billion users, and that's Google's Chrome. But at nearly 3.4 billion, Chrome still leaves Safari in the dust. It's important to note that these numbers include mobile users, not just desktop users. Likely, Safari's status as the default browser for both the iPhone and iPad plays a much bigger role than its usage on the Mac. Still, it's impressive given that Safari is the only major web browser not available on Android, which is the world's most popular mobile operating system, or Windows, the most popular desktop OS. "The statistics are based on the GlobalStats browser market share percentage, which was then converted into numbers using the Internet World Stats internet user metric to retrieve the exact numbers," explains Atlas VPN in a blog post.