Apple ships Safari Technology Preview 47 with Spectre vulnerability mitigations

Apple has updated Safari Technology Preview, its developer browser for experimental web features, with mitigations for the Spectre vulnerability disclosed earlier this month. Version 47 can be found in the Mac App Store or online for Safari Technology Preview users.

While its developer browser received its update today, Apple already updated the official version of Safari on iOS 11, macOS High Sierra, macOS Sierra, and macOS El Capitan through software updates on Monday.

Safari on iPhone and iPad includes mitigations to defend against Spectre with iOS 11.2.2 while macOS 10.13.2 received a supplemental update to patch Safari. Apple released updated versions of its web browser on macOS Sierra and macOS El Capitan for older operating systems.

Apple acknowledged last week that Safari would require further updates to help lessen potential issues related to recently disclosed vulnerabilities.

All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store.

Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.

Here are the full release notes for Safari Technology Preview 47:

Storage Access API

  • Enabled allowing requests from non-sandboxed
  • Implemented frame-specific access in the document.cookie layer
  • Made document.hasStorageAccess() retrieve the current status from the network process
  • Refactored XPC for access removal to go straight from the web process to the network process
  • Removed the JavaScript confirm() prompt when requesting storage access

Service Workers

  • Added support for response blob given to fetch events
  • Cancelled pending script loads when a Service Worker is being terminated
  • Changed Service Worker to expose redirect mode for navigation loads as manual
  • Changed extracting a body of type Blob to set the Content-Type to null instead of an empty string
  • Changed to use “error” redirect mode for fetching service worker scripts
  • Changed the Service Worker script fetch request to set the Service-Worker header
  • Changed Service Worker to not clean HTTP headers added by the application or by Fetch specification before Service Worker interception
  • Changed to reuse the document Service Worker for data URLs and blob URLs
  • Enabled User Timing and Resource Timing for Server Workers
  • Fixed the default scope used when registering a service worker
  • Fixed the Service Worker Registration promise sometimes not getting rejected when the script load fails
  • Fixed Service Worker served response tainting to keep its tainting
  • Fixed scopeURL to start with the provided scriptURL
  • Fixed self.importScripts() to obey updateViaCache inside service workers
  • Fixed Fetch handling to wait for the Service Worker’s state to become activated
  • Fixed SameOrigin and CORS fetch to fail on opaque responses served from a Service Worker
  • Fixed memory cache to not reuse resources with a different credential fetch option
  • Implemented “main fetch” default referrer policy setting
  • Prevented searching for service worker registration for non-HTTP navigation loads
  • Supported Service Worker interception of a request with blob body

Media

  • Enabled picture-in-picture from an inline element on suspend
  • Fixed playing media elements which call “pause(); play()” getting the play promise rejected
  • Fixed frame dropping during Flash video playback
  • Implemented