Safari web apps arrived in macOS 14 Sonoma. To create a web app, you load a website in Safari and then select the Add to Dock command from the File menu.
Safari web app support for web extensions—but not for app extensions like StopTheMadness Pro!—was added in macOS 15 Sequoia. WWDC 2025 has now come and gone without adding Safari app extension support. (The WWDC betas did add Safari web apps to iOS and iPadOS, but they don't support Safari extensions at all, unfortunately.) Since Apple didn't help me out, I've decided to take matters into my own hands and start working on a Safari web extension accessory to StopTheMadness Pro. I'm not making any promises, and you should treat my announcement as vaporware, but still… my project is very far along.
Anyway, I've been testing Safari web apps extensively, and I've noticed a strange behavior. Safari web apps are inherently strange, because they open cross-site links in your default web browser instead of in the web app, but that's not the strange behavior I'm talking about here. Specifically, the strange behavior is what happens at the TCP level when a Safari web app opens a cross-site link.
I created a Safari web app for my business website (underpassapp.com). The front page of my business website includes a link with my name to my personal website (lapcatsoftware.com), this very website on which you're reading this very blog post.
When I click on the link to my personal website, the Safari web app opens the URL in my default web browser (which is my app Link Unshortener, by the way). However, the Safari web app also directly opens a TCP connection to the URL, as shown by Little Snitch.
Practically speaking, it doesn't actually matter whether you allow or deny this connection, because allowing the connection doesn't cause the URL to open in the Safari web app, and denying the connection doesn't prevent the URL from opening in your default web browser.
You might speculate that the Safari web app is checking for an internet route to the website before it opens the URL in your default web browser, but nope, that's not what's happening. If I permanently deny all connections from the Safari web app to lapcatsoftware.com in Little Snitch, so that the connections are rejected immediately when attempted, the Safari web app still opens the URL in my default web browser.
As far as I can tell from packet traces, the Safari web app never sends HTTP requests over the internet during the phantom connections. It simply sends and receives some TCP packets before closing the connection. Thus, the strange behavior looks to me like a bug. In fact it looks similar to a WebKit bug I filed a few months ago: "WKWebView opens a TLS connection before calling decidePolicyForNavigationAction (and despite it returning WKNavigationActionPolicyCancel)." However, that bug applies only to encrypted https connections, whereas the Safari web app bug happens with both https and unencrypted http connections.
I don't really know what to make of the strange Safari web app behavior. Is it a privacy issue? Maybe, or maybe not. In any case, I thought the behavior was interesting and worth noting publicly. The world wide web can now debate whether it's a nothingburger or a somethingburger. Have it your way!