Skip to main content

Apple ships Safari Technology Preview 47 with Spectre vulnerability mitigations

Apple has updated Safari Technology Preview, its developer browser for experimental web features, with mitigations for the Spectre vulnerability disclosed earlier this month. Version 47 can be found in the Mac App Store or online for Safari Technology Preview users.

While its developer browser received its update today, Apple already updated the official version of Safari on iOS 11, macOS High Sierra, macOS Sierra, and macOS El Capitan through software updates on Monday.

Safari on iPhone and iPad includes mitigations to defend against Spectre with iOS 11.2.2 while macOS 10.13.2 received a supplemental update to patch Safari. Apple released updated versions of its web browser on macOS Sierra and macOS El Capitan for older operating systems.

Apple acknowledged last week that Safari would require further updates to help lessen potential issues related to recently disclosed vulnerabilities.

All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.

Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.

Here are the full release notes for Safari Technology Preview 47:

Storage Access API

  • Enabled allowing requests from non-sandboxed <iframes>
  • Implemented frame-specific access in the document.cookie layer
  • Made document.hasStorageAccess() retrieve the current status from the network process
  • Refactored XPC for access removal to go straight from the web process to the network process
  • Removed the JavaScript confirm() prompt when requesting storage access

Service Workers

  • Added support for response blob given to fetch events
  • Cancelled pending script loads when a Service Worker is being terminated
  • Changed Service Worker to expose redirect mode for navigation loads as manual
  • Changed extracting a body of type Blob to set the Content-Type to null instead of an empty string
  • Changed to use “error” redirect mode for fetching service worker scripts
  • Changed the Service Worker script fetch request to set the Service-Worker header
  • Changed Service Worker to not clean HTTP headers added by the application or by Fetch specification before Service Worker interception
  • Changed to reuse the document Service Worker for data URLs and blob URLs
  • Enabled User Timing and Resource Timing for Server Workers
  • Fixed the default scope used when registering a service worker
  • Fixed the Service Worker Registration promise sometimes not getting rejected when the script load fails
  • Fixed Service Worker served response tainting to keep its tainting
  • Fixed scopeURL to start with the provided scriptURL
  • Fixed self.importScripts() to obey updateViaCache inside service workers
  • Fixed Fetch handling to wait for the Service Worker’s state to become activated
  • Fixed SameOrigin and CORS fetch to fail on opaque responses served from a Service Worker
  • Fixed memory cache to not reuse resources with a different credential fetch option
  • Implemented “main fetch” default referrer policy setting
  • Prevented searching for service worker registration for non-HTTP navigation loads
  • Supported Service Worker interception of a request with blob body

Media

  • Enabled picture-in-picture from an inline element on suspend
  • Fixed playing media elements which call “pause(); play()” getting the play promise rejected
  • Fixed frame dropping during Flash video playback
  • Implemented <iframe allow=”camera; microphone”>

Rendering

  • Corrected the SVG lighting filter lights coordinate system
  • Fixed elements animated on-screen that are sometimes missing
  • Fixed setting the fePointLights color
  • Fixed the color of the bottom right pixel of feDiffuseLighting
  • Fixed SVG lighting colors to be converted into linearSRGB
  • Fixed feLighting with primitiveUnits=”objectBoundingBox”
  • Updated the SVG use element’s shadow trees explicitly before the style recall

Web Inspector

  • Enabled the Canvas Tab by default
  • Improved open time performance when enumerating system fonts
  • Fixed Command-Option-R (⌘⌥R) in the docked inspector causing Web Inspector to reload instead of the inspected page
  • Fixed the URL filter in the Network Tab to be case-insensitive like filter bars in other tabs
  • Fixed mis-sized waterfall graphs in the Network Tab after closing the detail view
  • Redesigned the waterfall popover showing timing data in the Network Tab table
  • Updated the Time column in the Network Tab table to include the total duration not just the download duration
  • Added an inline swatch for CSS variables in the Styles sidebar
  • Added support for typing a semicolon at the end of a value to move to the next property in the Styles sidebar
  • Enabled Command-S (⌘S) to save changes in the matching CSS resource in the Styles sidebar
  • Fixed selecting text in the Styles sidebar to not add new properties
  • Fixed “Log Value” context menu sometimes being unavailable
  • Fixed DOM Tree Element selection in RTL mode
  • Fixed find banner sometimes not working when already populated and shown for first time on resource
  • Fixed fuzzy Capture Element screenshots
  • Fixed CSS source maps not loading
  • Implemented clicking above the selector to prepend a new property in the Styles sidebar

Clipboard API

  • Fixed isSafari runtime check to enable custom clipboard types and clipboard data sanitization in Safari Technology Preview
  • Fixed not being able to paste images on Gmail
  • Reverted blob URL conversions in pasted contents for LegacyWebKit clients

Bug Fix

  • Avoided waking plugin process up unnecessarily

Subscribe to 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Zac Hall Zac Hall

Zac covers Apple news, hosts the 9to5Mac Happy Hour podcast, and created SpaceExplored.com.