safariAllowPopups doesn't work in Sonoma (and possibly earlier versions) #132

New Issue

Closed

opened 2026-01-19 18:29:20 +00:00 by michael · 4 comments

michael commented 2026-01-19 18:29:20 +00:00

Owner

Copy Link

Originally created by @isaacatmann on GitHub.

Originally assigned to: @jmahlman on GitHub.

Summary

The current remediations for blocking popups in Safari is no longer applied via config profile. This is verified by navigateing to https://nsc.puresafety.com/Login/PopupTest with the profile insatlled enforing safariAllowPopups.

Steps to reproduce

Go to Safari > Settings > Websites > Pop-up Windows
Change When visiting other websites: Allow
Quit Safari
Install Config profile recomemnded here with com.apple.Safari - safariAllowPopups payload
Open Safari
Navigate to https://nsc.puresafety.com/Login/PopupTest

Toggle Change When visiting other websites: to various settings
quit
re-open https://nsc.puresafety.com/Login/PopupTest to observe various results.

Operating System version

macOS Sonoma

Intel or Apple Silicon

Both

What is the current bug behavior?

Popups are not blocked

What is the expected correct behavior?

Popups blocked

Possible fixes

So far I've found that pop up blocking is no longer a binary yes/no decision and is a per site with a "All others" setting. This is stored in a sqlite database.

Verifying the seting is done via

sqlite3 ~/Library/Safari/PerSitePreferences.db 'select * from default_preferences' | grep PerSitePreferencesPopUpWindow

There are now 3 options: block, block and notify and allow.

Per site settings can be overridden in the same database by the user and can be reported via

sqlite3 ~/Library/Safari/PerSitePreferences.db 'select * from preference_values' | grep PerSitePreferencesPopUpWindow

Originally created by @isaacatmann on GitHub. Originally assigned to: @jmahlman on GitHub. ### Summary The current remediations for blocking popups in Safari is no longer applied via config profile. This is verified by navigateing to https://nsc.puresafety.com/Login/PopupTest with the profile insatlled enforing safariAllowPopups. ### Steps to reproduce Go to Safari > Settings > Websites > Pop-up Windows Change When visiting other websites: Allow Quit Safari Install Config profile recomemnded here with com.apple.Safari - safariAllowPopups payload Open Safari Navigate to https://nsc.puresafety.com/Login/PopupTest Toggle Change When visiting other websites: to various settings quit re-open https://nsc.puresafety.com/Login/PopupTest to observe various results. ### Operating System version macOS Sonoma ### Intel or Apple Silicon Both ### What is the current *bug* behavior? Popups are not blocked ### What is the expected *correct* behavior? Popups blocked ### Possible fixes So far I've found that pop up blocking is no longer a binary yes/no decision and is a per site with a "All others" setting. This is stored in a sqlite database. Verifying the seting is done via ```sqlite3 ~/Library/Safari/PerSitePreferences.db 'select * from default_preferences' | grep PerSitePreferencesPopUpWindow``` There are now 3 options: block, block and notify and allow. Per site settings can be overridden in the same database by the user and can be reported via ```sqlite3 ~/Library/Safari/PerSitePreferences.db 'select * from preference_values' | grep PerSitePreferencesPopUpWindow```

michael closed this issue 2026-01-19 18:29:20 +00:00

michael commented 2026-01-19 18:29:21 +00:00

Author

Owner

Copy Link

@jmahlman commented on GitHub:

CIS has updated the guidance for this rule and moved it to a manual audit. Since the config profile does not work, we have removed the rule from the Sequoia branch and will backport to others.

4d4d71ca16

@jmahlman commented on GitHub: CIS has updated the guidance for this rule and moved it to a manual audit. Since the config profile does not work, we have removed the rule from the Sequoia branch and will backport to others. https://github.com/usnistgov/macos_security/commit/4d4d71ca1693c60b59e73b97eb57ebe8c1b369dd

michael commented 2026-01-19 18:29:21 +00:00

Author

Owner

Copy Link

@isaacatmann commented on GitHub:

Update better detection

Detection:

sqlite3 ~/Library/Safari/PerSitePreferences.db 'select default_value from default_preferences WHERE preference="PerSitePreferencesPopUpWindow"'
Result should be 0 or 1

@isaacatmann commented on GitHub: Update better detection Detection: ``` sqlite3 ~/Library/Safari/PerSitePreferences.db 'select default_value from default_preferences WHERE preference="PerSitePreferencesPopUpWindow"' Result should be 0 or 1 ```

michael commented 2026-01-19 18:29:21 +00:00

Author

Owner

Copy Link

@robertgendler commented on GitHub:

Sorry it took a while to come around to this.

Testing with macOS 14.5 and the profile installed and testing your website. It is blocking popups for me. Now once the profile was installed I had to restart Safari. But that's typical of a lot of applications when a configuration profile is applied.

Are you still seeing undesired behavior?

@robertgendler commented on GitHub: Sorry it took a while to come around to this. Testing with macOS 14.5 and the profile installed and testing your website. It is blocking popups for me. Now once the profile was installed I had to restart Safari. But that's typical of a lot of applications when a configuration profile is applied. Are you still seeing undesired behavior?

michael commented 2026-01-19 18:29:21 +00:00

Author

Owner

Copy Link

@isaacatmann commented on GitHub:

Update, resolution is as follows:

sqlite3 ~/Library/Safari/PerSitePreferences.db 'UPDATE default_preferences SET default_value=0 WHERE preference="PerSitePreferencesPopUpWindow";'

default values:

2= allow
1= block
0= block and notify```

@isaacatmann commented on GitHub: Update, resolution is as follows: ```sqlite3 ~/Library/Safari/PerSitePreferences.db 'UPDATE default_preferences SET default_value=0 WHERE preference="PerSitePreferencesPopUpWindow";'``` default values: ``` 2= allow 1= block 0= block and notify```

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev_2.0_generate_mapping

dev_2.0

sequoia

sonoma

nist-pages

nist-pages-docs

ios_18

ios_26

ios_26_cmmc

dev_2.0_compliance_script

tahoe

visionos_26

dev_ios_26_stig

dev_visionOS_26_stig

dev_tahoe_adjustments

ios_17

dev_sequoia_bio

tahoe_578-typo-in-os_sshd_fips_compliantyaml-fix-code

ventura

ios_16

visionos_2

505-create-python-scp-library

monterey

big_sur

catalina

tahoe_rev2

sequoia_rev4

visionos26_rev2

ios26_rev2

tahoe_rev1

visionos26_rev1

ios26_rev1

sonoma_rev5

sequoia_rev3

ios18_rev3

ios17_rev4

ventura_rev6

sonoma_rev4

sequoia_rev2

visionos_rev2

ios18_rev2.0

ios16_rev4

sequoia_rev1.1

ventura_rev5.1

ios18_rev1.1

sonoma_rev3.1

sequoia_rev1

visionos_rev1

ios18_rev1

ios17_rev3

ios16_rev3

ventura_rev5

sonoma_rev3

ventura_rev4

sonoma_rev2

ios17_rev2

ios16_rev2

monterey_rev6

sonoma_rev1

ventura_rev3

monterey_rev5

ios16_rev1

ios17_rev1

big_sur_rev7

monterey_rev4

ventura_rev2

ventura_rev1.1

monterey_rev3.1

big_sur_rev6.1

ventura_rev1

monterey_rev3

big_sur_rev6

monterey_rev2

catalina_rev6

big_sur_rev5

monterey_rev1

big_sur_rev4

catalina_rev5

big_sur_rev3

catalina_rev4

big_sur_rev2

catalina_rev3

big_sur_rev1

catalina_rev2

catalina_rev1

v0.9

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: usnistgov/macos_security#132