Safari is not filtered on macOS 15 Beta 5 with Private Relay enabled

[q36zhd46w17o]

Please answer the following questions for yourself before submitting an issue

• [X] Filters were updated before reproducing an issue
• [X] I checked the knowledge base and found no answer
• [x] I checked to make sure that this issue has not already been filed

AdGuard version

2.15.1.1731 release

Browser version

18.1 (20619.2.1)

OS version

macOS Sequoia Beta 15.1 (24B5035e)

Ad Blocking

AdGuard Base filter, AdGuard Mobile Ads filter, EasyList

Privacy

AdGuard Tracking Protection filter, AdGuard URL Tracking filter, EasyPrivacy, Legitimate URL Shortener, Peter Lowe's Blocklist, Fanboy's Anti-Facebook List

Social

AdGuard Social Media filter, Fanboy's Social Blocking List

Annoyances

AdGuard Annoyances filter, AdGuard Cookie Notices filter, AdGuard Popups filter, AdGuard Mobile App Banners filter, AdGuard Other Annoyances filter, AdGuard Widgets filter, Adblock Warning Removal List, Fanboy's Annoyances, EasyList Cookie List, Dandelion Sprout's Annoyances List

Security

Online Malicious URL Blocklist, Phishing URL Blocklist, Scam Blocklist by DurableNapkin, uBlock Origin – Badware risks, NoCoin Filter List

Other

Filter unblocking search ads and self-promotion, AdGuard DNS filter, AdGuard Experimental filter, Fanboy's Anti-thirdparty Fonts

Language-specific

AdGuard Chinese filter, AdGuard Japanese filter

Which DNS server do you use?

AdGuard DNS

DNS protocol

DNS-over-HTTPS

Custom DNS

No response

What Stealth Mode options do you have enabled?

Block trackers, Remove tracking parameters, Hide your search queries, Send Do-Not-Track signals, Disable cache for third-party requests, Block the third-party Authorization header, Block WebRTC, Block Push API, Block Location API, Block Java, Hide your Referrer from third-parties, Hide your User Agent, Mask your IP address, Remove X-client-Data header from HTTP request, Protect from DPI

Support ticket ID

947659

Issue Details

1.  Open the Safari browser and ensure the AdGuard extension is enabled.
2.  Visit a website known to contain ads, such as Youtube.
3.  Attempt to load the page and observe whether any ads are displayed.
4.  On the same page, try using Safari’s new privacy features, such as “element hiding,” and observe the behavior of page elements.
5.  Repeat the above steps, noting if any “You Are Not Connected to the Internet” error messages appear.

Expected Behavior

•   AdGuard should effectively block all ads on the page, with no ads bypassing the filters.
•   Safari should not display any connection error messages.
•   AdGuard should work seamlessly with Safari’s new privacy features, ensuring that page elements are properly hidden or blocked.

Actual Behavior

•   Ads intermittently bypass AdGuard’s filters and appear on some websites.
•   On certain occasions, Safari displays a “You Are Not Connected to the Internet” error, which seems related to AdGuard’s filtering process.
•   There appears to be a conflict between AdGuard and Safari’s new privacy features, preventing certain webpage elements from being effectively hidden or blocked.

Screenshots

Screenshot 1

Additional Information

I would like to add that when using Chrome on the same computer, I do not encounter any of these issues. AdGuard functions as expected on Chrome version 128.0.6613.86 (Official Build) (arm64).

[AlexandrPkhm]

Hi @q36zhd46w17o

We have been able to reproduce the issue of Element blocking with the AdGuard Assistant extension in Safari. However, we cannot reproduce issues with ads bypassing AdGuard filters and "You are not connected to the Internet" error messages.

To diagnose and fix the above issues, we need to get the application logs. Here's what we need you to do:

1. Click AdGuard icon in the menu bar → Gear → Advanced → Logging → Logging level → Debug;
2. Reproduce the issue and remember the exact time it happened;
3. Menu → Advanced → Logging → Export Logs and System Info…;
4. Send the archive to apple@adguard.com and mention this issue number in the subject.

[AlexandrPkhm]

@hmgnsd Hi, it seems that the issue you are experiencing is related to the general filtering in Safari on MacOS 15 Sequoia beta versions. Could you please record the debug logs of the application for us? We need them to diagnose and fix this issue.

We have left the similar instructions in your previous ticket, but just in case, here is what we need you to do:

1. Click AdGuard icon in the menu bar -> Gear -> Advanced -> Logging -> Logging level -> Debug.
2. Reproduce the problem, then remember the exact time it happened.
3. Menu -> Advanced -> Logging -> Export Logs and System Info.….
4. Send this file to qa@adguard.com:
   • include [mac] keyword and #1471 in the subject of your email
   • specify the exact time when the issue occurred

[xJustxMegx]

Hi, same issue here can I send the data too?

I did send the data, it seems that when I disable iCloud Private Relay everything works fine.

[jameyers4]

FYI - this seems to work when I re-enable Private-Relay on my Mac (Sequoia 15.0) on my commonly used tabs with all but usatoday.com, where several ads remain. If I turn private relay off, and refresh usatoday.com, the ads go away.

[sfionov]

Seems that this issue is reproduced only if both Private Relay and Firewall are on.

If firewall is off, the old behaviour returns - Private Relay auto-disables when some network filtering software is running.

[jameyers4]

I’ve not tried that specifically, but I can believe it easily - I keep firewall on all the time. From my chair, something changed with MacOS Sequoia (15.0) - this was all working in last release of macOS 14.x.

On Sep 23, 2024, at 3:13 PM, Sergey Fionov @.***> wrote:

Seems that this issue is reproduced only if both Private Relay and Firewall are on.

If firewall is off, the old behaviour returns - Private Relay auto-disables when some network filtering software is running.

— Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/CoreLibs/issues/1914#issuecomment-2369150216, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHIJ5OIIOJLKM3LF5LTVOQLZYBR4ZAVCNFSM6AAAAABN6NIIKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRZGE2TAMRRGY. You are receiving this because you commented.

[ameshkov]

@jameyers4 this is indeed a bug of Sequoia: https://www.theregister.com/2024/09/23/security_in_brief/

Quick question: does it help to add the following two domain to AdGuard's DNS blocklist:

mask.icloud.com
mask-h2.icloud.com

[jameyers4]

It does not help - still USATODAY.com http://usatoday.com/ ad’s

Jeff

On Sep 23, 2024, at 3:58 PM, Andrey Meshkov @.***> wrote:

@jameyers4 https://github.com/jameyers4 this is indeed a bug of Sequoia: https://www.theregister.com/2024/09/23/security_in_brief/

Quick question: does it help to add the following two domain to AdGuard's DNS blocklist:

mask.icloud.com mask-h2.icloud.com — Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/CoreLibs/issues/1914#issuecomment-2369248744, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHIJ5OIW7BQBTBZ4FD55WWTZYBXFZAVCNFSM6AAAAABN6NIIKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRZGI2DQNZUGQ. You are receiving this because you were mentioned.

[ameshkov]

@jameyers4 you may need to restart AdGuard so that the rules kick in.

[jameyers4]

Yessss… that did it. Seems to work!

Jeff

On Sep 23, 2024, at 4:11 PM, Andrey Meshkov @.***> wrote:

@jameyers4 https://github.com/jameyers4 you may need to restart AdGuard so that the rules kick in.

— Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/CoreLibs/issues/1914#issuecomment-2369275517, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHIJ5OIRRNXTQ54OFTGFE5DZYBYVTAVCNFSM6AAAAABN6NIIKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRZGI3TKNJRG4. You are receiving this because you were mentioned.

[jameyers4]

Sorry - forgot to turn Private Relay back on...

It is not working

Jeff

On Sep 23, 2024, at 4:11 PM, Andrey Meshkov @.***> wrote:

@jameyers4 https://github.com/jameyers4 you may need to restart AdGuard so that the rules kick in.

— Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/CoreLibs/issues/1914#issuecomment-2369275517, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHIJ5OIRRNXTQ54OFTGFE5DZYBYVTAVCNFSM6AAAAABN6NIIKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRZGI3TKNJRG4. You are receiving this because you were mentioned.

[ameshkov]

We reported the issue to Apple: https://developer.apple.com/forums/thread/764531

[xJustxMegx]

We reported the issue to Apple: https://developer.apple.com/forums/thread/764531

Thanks for this! It's really annoying to have ads while on a different network then my home (mobile hotspot).

[sfionov]

In our tests filtering is working again on macOS 15.1 beta even with Firewall on.

I'm not sure if fix is present in 15.0.1 released today.

[atticusmatticus]

@sfionov, thank you for the information.

I have updated to the latest: macOS 15.0.1 and the issue persists. I'll post with any updates in the future.

A note to others trying to reproduce this; I have found that after enabling/disabling Private Relay I must fully quit Safari and relaunch for the filtering changes to take effect.

[jameyers4]

Just installed 15.1 on my M2 Pro MBP - still getting ads in Safari when I re-enable Private Relay. Am I missing something?

[Aydinv13]

@jameyers4 are you getting ads every time you enable Private Relay?

[jameyers4]

That is correct.

When I updated to macOS 15.0, had the problems with ads and Private Relay; turned off Private Relay - blocking worked.

Updated to 15.0.1 0 - same exact problem.

Updated today to 15.1 release - same (although apparently 15.1 beta was supposedly working).

Jeff

On Oct 28, 2024, at 12:39 PM, Aydin Baydarov @.***> wrote:

@jameyers4 https://github.com/jameyers4 are you getting ads every time you enable Private Relay?

— Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/CoreLibs/issues/1914#issuecomment-2442091829, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHIJ5OJ7LFFVIIYOWBUT2M3Z5ZLB5AVCNFSM6AAAAABN6NIIKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBSGA4TCOBSHE. You are receiving this because you were mentioned.

[baslia]

In our tests filtering is working again on macOS 15.1 beta even with Firewall on.

I'm not sure if fix is present in 15.0.1 released today.

I am on macOS 15.1 and the problem is still the same Edit: I actually found a solution online: AdGuard Settings > Network > Filtering Mode > Automatic Proxy

[jameyers4]

Thank baslia! Outstanding! That did it. Thank you...

jameyers4

[atticusmatticus]

Isn't this more of a workaround than a fix? Perhaps I'm misunderstanding but isn't Automatic Proxy a less desirable option for the filtering mode?

[jameyers4]

It could well be, but for now it works…

Jeff

[jameyers4]

If someone can explain why this is less desirable, that would provide some context. If, in fact, it is less desirable, then what is it that still needs to be done (Apple fix, AdGuard changes..? Other?). At the moment, I'm happy to be able to have Firewall and Private Relay on, and have Ads blocked.

Jeff

[atticusmatticus]

I agree it is good to have a workaround in the meantime. Didn’t mean to diminish that.

Regarding the desirability, I’m just going off the description of each filtering mode in the AdGuard app itself. Kernel extension is the old method, network extension is the replacement of kernel ext. and guarantees best quality filtering, the automatic proxy seems to be billed as a workaround method with diminished filtering abilities to be used when the other modes aren’t working.

So I’m guessing this was a viable workaround this whole time? I’ll test it out and report back here as I haven’t upgraded to 15.1 yet. But I don’t think that the underlying problem has been fixed if Network Extension mode is still broken.

EDIT: Yes Automatic Proxy filtering mode does fix the issue on macOS 15.0.1 as well. So, this is a good temporary workaround until the issue (Apple / Adguard / ??) is fixed for the Network Extension mode.

[jameyers4]

Pending your findings, I agree with your assertions below…

Jeff

So I’m guessing this was a viable workaround this whole time? I’ll test it out and report back here as I haven’t upgraded to 15.1 yet. But I don’t think that the underlying problem has been fixed if Network Extension mode is still broken.

[atticusmatticus]

I've updated to macOS 15.1 as well and the issue is still present for me when on Network Extension filtering mode.

[jameyers4]

Well, I would not have expected that news, since for whatever reason it works for me on 15.1. Very odd.

On Oct 29, 2024, at 9:17 AM, atticusmatticus @.***> wrote:

I've updated to macOS 15.1 as well and the issue is still present for me when on Network Extension filtering mode.

— Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/CoreLibs/issues/1914#issuecomment-2444201774, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHIJ5OO7XTLMON52JGYYDL3Z56DIJAVCNFSM6AAAAABN6NIIKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBUGIYDCNZXGQ. You are receiving this because you were mentioned.

[atticusmatticus]

I thought it only works for you when you change to Automatic Proxy mode?

[jameyers4]

Correct - only in automatic proxy filtering mode, it does not work in (preferred..?) network extension filtering mode.

On Oct 29, 2024, at 9:36 AM, atticusmatticus @.***> wrote:

I thought it only works for you when you change to Automatic Proxy mode?

— Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/CoreLibs/issues/1914#issuecomment-2444256202, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHIJ5OKIY2BUJSAUZQYEFQDZ56FOVAVCNFSM6AAAAABN6NIIKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBUGI2TMMRQGI. You are receiving this because you were mentioned.

[atticusmatticus]

Yes, I’m in the same situation. Ads are blocked on Automatic Proxy mode and not blocked on Network Extension mode.

[jameyers4]

OK - good to know that we are seeing the same behavior.

[baslia]

Just as an update, the "Automatic Proxy" method doesn't filter properly the ads, and I had issues with this mode on my VPN. I am reverting to deactivating Apple Private Relay, which is also paid feature that I can't use anymore ...

[ameshkov]

Note that the easiest way to resolve it is to disable Firewall in the macOS Network settings. Not an ideal solution if you use it, but you could emulate some of its features with AdGuard using user rules / DNS blocklists.

[sfionov]

At first glance we did not notice that problem is somewhat masked but not fixed on 15.1 - iCPR may auto-disable in the first minutes after starting protection. However, after some time it is back.

We reported to Apple that problem was not fixed in 15.1 and provided them additional information.

UPD: Feedback ID: FB15279544

[Aydinv13]

We've published the new Nightly version with a workaround. Please check it on your side.

[jameyers4]

On mosOS 15.1, just installed nightly build. Changed AdGuard config filtering mode from Automatic Proxy to Network Extension - made sure that Safari was closed and restarted. Seems to be working... Will update if I see anything wonky.

[jameyers4]

^macOS... sheesh.....

[atticusmatticus]

I have upgraded to macOS 15.1 and I have installed the 2.16.0.1843 nightly and there appears to be no change. The way I'm testing this is by checking my IP via a terminal command (unaffected by Private Relay), and in Safari at www.whatismyip.com (affected by Private Relay). Between all of these tests I would fully quit AdGuard and Safari to try to minimize holdover blocking/leaking which I did observe a couple of times. Also, I replicated each result multiple times, again, to try to minimize holdover states.

Nightly Results

Private Relay ON, AdGuard OFF:

Safari IP != Terminal IP
Ads present

So, Private Relay is altering my browser IP as expected when AdGuard is off.

Private Relay ON, AdGuard ON (Network Ext. Mode):

Safari IP == Terminal IP
Ads blocked

So, Private Relay breaks when AdGuard is turned on but AdGuard blocks ads.

Private Relay ON, AdGuard ON (Auto. Proxy Mode):

Safari IP == Terminal IP
Ads blocked

So, Private Relay breaks when AdGuard is turned on but AdGuard blocks ads.

[ameshkov]

This is exactly how it's supposed to work, Private Relay is not used by Safari when there's a transparent proxy in the system. Moreover, it still works this way in every case save for one -- when Firewall is enabled in macOS settings. Transparent proxy is not the only case, this happens when any network extension is in the system.

In the meantime, full compatibility is on our roadmap, but constant breaking changes by Apple does not allow doing that.

[atticusmatticus]

Ah I see. Thank you for the information.

Though I'm not sure I am completely following... is the full compatibility that you mention the only way to get content blocking and Private Relay at the same time? or is that also possible with disabling firewall? Please forgive my ignorance.

Does AdGuard have any blog posts/information on the trade offs here or how this works? I find myself wishing I knew more about how this is all working (or not working as it were) under the hood.

[ameshkov]

@atticusmatticus in theory, the full compatibility is only achievable if AdGuard starts filtering Relay connections.

I should also add that Apple always positioned Relay as some kind of a semi-protection that does not provide any VPN-like guarantees. I.e. if there's literally anything that can potentially conflict with Relay or if the relay servers are unavailable for some reason, they'll just route the traffic directly and without notifying the user that something happened.

Does AdGuard have any blog posts/information on the trade offs here or how this works? I find myself wishing I knew more about how this is all working (or not working as it were) under the hood.

Not really, we haven't written anything about. We'll probably write a more detailed piece when the full compatibility is achieved because at first we'll keep it behind an advanced setting flag.

[baslia]

We've published the new Nightly version with a workaround. Please check it on your side.

Thanks, it worked for a bit, but then the ads started appearing again, and I had to turn off private relay

[atticusmatticus]

Same result here as @baslia actually. Just noticed it this morning.

[ameshkov]

@baslia @atticusmatticus quick question: do you have macOS Firewall enabled in the settings or maybe you're using a third-party firewall all?

[atticusmatticus]

Yes I have the firewall in System Settings > Network > Firewall enabled.

[ameshkov]

Hmm, the workaround should've kicked in then:( On the other hand it's effectively the same as keeping relay disabled anyways.

[baslia]

@baslia @atticusmatticus quick question: do you have macOS Firewall enabled in the settings or maybe you're using a third-party firewall all?

Nope, the firewall is off, but I do have another content filter

[ameshkov]

Nope, the firewall is off, but I do have another content filter

This is new, could you please tell me which one?

[atticusmatticus]

Should we be disabling firewall?

[baslia]

Nope, the firewall is off, but I do have another content filter

This is new, could you please tell me which one?

It's windows defender, but even if I deactivate it I have the same problem. The only viable solution is to deactivate private relay