AppleInsider explains Apple’s new Private Access Tokens (PAT) tech announced at WWDC:

Using a new HTTP authentication method called PrivateToken, a server uses cryptography to verify a client passed an iCloud attestation check.

When the client needs a token it contacts an attester — in this case, Apple — which performs the process using certificates stored in the device’s Secure Enclave.

I’ve been waiting for someone to kill CAPTCHAs for us, but this will be an Apple-only solution for now:

The company is working to help make Private Access Tokens a web standard, but there is no mention of tokens working on Android or Windows. People on those platforms may have to put up with CAPTCHAs, for now — or wait for Microsoft’s and Google’s work on the matter.

I believe this is the draft of the standard that they’re referring to. Cloudflare also has a nice article on their work in this space.

One of the smaller (but big for webdevs) announcements from yesterday’s WWDC keynote was Web Push coming to Safari. It’s built on three web standards all working together. What does it do, well it enables websites to “notify their users of time-sensitive or high-priority events, even if the user does not currently have the site open.”

As long as you’ve coded your web application to the standards you will be able to reach Safari 16 users on macOS Ventura. You don’t need to join the Apple Developer Program to send Web Push notifications.

That’s good news, but is this feature something users want? I can think of zero websites that I’ve allowed to send me notifications even when Safari is open, let alone when I’m not even browsing the web.

Jen Simmons posted a nice thread on Twitter alongside the announcement and fielded many people’s questions/concerns along the way.

Safari 15.4 dropped today and it has a bunch of goodies in there for web devs including lazy-loading images, the <dialog> element, the :has(), pseudo-class, and more.

With the release of Safari 15 for macOS Monterey, iPadOS 15, iOS 15, and watchOS, as well as macOS Big Sur and macOS Catalina, WebKit brings significant advancements in privacy and security, improved interoperability, and a host of new features for web developers. Take a look.

We discussed a few of these in-depth on JS Party #195, but at the time I was referencing the beta features announcement and it was 404ing during the show. This is a much better resource.

Chris Coyier does a great job rounding up and summarizing conversations around #AppleBrowserBan:

Just last week I got one of those really?! 🤨 faces when this fact came up in conversation amongst smart and engaged fellow web developers: there is no browser choice on iOS. It’s all Safari. You can download apps that are named Chrome or Firefox, or anything else, but they are just veneer over Safari. If you’re viewing a website on iOS, it’s Safari.

Dan Moren writing for Six Colors:

Safari Keyword Search is a little tool that allows you to define shortcuts for searching specific sites. For example, you could type “imdb George Clooney” to be taken directly to the IMDb search results for George Clooney, or “w iPhone 13” to go straight to the Wikipedia page for the iPhone 13. You can also define your own shortcuts, so, for example, I’ve defined “sc” as a Google search limited to sixcolors.com, which helps me quickly turn up articles here…

On iOS 15, Mobile Safari supports web extensions. That means this free and awesome tool is now available on the go, where it shortcuts are even more useful.

Tim Perry:

There’s been a lot of discussion recently about how “Safari is the new IE”

I don’t want to rehash the basics of that, but I have seen some interesting rebuttals, most commonly: Safari is actually protecting the web, by resisting adding unnecessary and experimental features that create security/privacy/bloat problems.

That is worth further discussion, because it’s widespread, and wrong.

We had an excellent interview with Beth Dakin and Ronak Shah from the Safari team about what’s new and interesting for developers in Safari 14. There were so many good moments that I figured a round-up post was warranted. ICYMI (or don’t have time for the full convo), here’s the highlights from my POV.

We’re joined by Ronak Shah and Beth Dakin from the Safari team at Apple about their announcements at WWDC20 and the release of Safari 14. We talk about Safari WebExtensions, Face ID and Touch ID coming to the web, Safari’s plans to advance the web platform, and it all comes down to their focus on privacy, power, and performance.

Dan Moren writing for Six Colors:

News out of last week’s meeting of the CA/Browser Forum is that Apple has announced Safari will no longer accept HTTPS certificates older than about 13 months, as of September 1.

The rationale? Shorter certificate lifetimes are safer, for a variety of reasons. For one thing, it prevents a valid (and perhaps abandoned) certificate from being stolen or misappropriated by a bad actor, then used to trick consumers. While there is a process for revoking known bad certificates, it’s cumbersome and many browsers don’t even check the revocation lists.

This may be annoying to many of us in the short-term (our certificate here at changelog.com is a few years old), but it’s a good thing for the security of the web. Suddenly, Let’s Encrypt’s 90 day expirations look both prudent and prescient.

The irony here is that the site we’re linking to for this story is FULL of display ads. The web and mobile web for content sites, blogs, and the like tend to borderline on a confusing and/or terrible experience because of ads, modals, takeover screens, content that seems like content but is just content in disguise…then, THEN…the retargeting. I can see why Apple, with their focus on the users privacy, that this feature is a Safari thing and being lead by Apple.

The feature—blandly dubbed “Intelligent Tracking Prevention,” or “ITP 2”— is the second major iteration of its anti-tracking tool, which was first introduced last year. The update prevents marketers from targeting Safari users across the web. For example, someone who visits Nike’s website can’t be targeted elsewhere on the web, such as Google search or the New York Times website.

I’m all for websites finding ways to make money from smart relationships, partnerships, and “ads,” but they must be delivered in well-mannered and tasteful ways that does not objectify the reader or their privacy.

This was an insta-install for me after Nick gave the project a shout-out on today’s recording of JS Party. Comes packaged in Chrome, Firefox, Safari, and Opera flavors.

Workers will be at your service in an upcoming release of Safari — specifically Safari Technology Preview 48, macOS High Sierra 10.13.4 and iOS 11.3 beta seed 2.

Youenn Fablet, software engineer at Apple, writes:

While WebKit’s implementation and feature set is quickly evolving, we believe it has reached an important milestone in terms of functionality and compliance: applications using service workers for offline support or network/cache optimizations run successfully on latest WebKit builds. Let’s now dive into the specifics…

There are threads on Twitter here and here you should check out for commentary on this spec.

This news comes after Microsoft announces PWAs are coming to Microsoft Edge and Windows.