Proxy .PAC file no longer works

On Safari 6.0.3 Mountain Lion i used /System/Library/PrivateFrameworks/WebKit2.framework/WebProcess.app/Contents/Reso urces/com.apple.WebProcess.sb

;; Plugins

(subpath "/Library/Internet Plug-Ins")

(home-subpath "/Library/Internet Plug-Ins")

I have used my tools to look at the Safai 6.0.4 and see what it actually includes and you are correct Tom, the file

path i should be looking at now for 6.0.4 is

/System/Library/StagedFrameworks/Safari/WebKit2.framework/WebProcess.app/Contents/Resources/com.apple.WebProcess .sb

Grrr... With the Safari 6.0.5 (Mac OS X 10.8.4) update, it looks like Apple has moved the sandbox configuration file back to:

/System/Library/PrivateFrameworks/WebKit2.framework/WebProcess.app/Contents/Reso urces/com.apple.WebProcess.sb

They've made some minor changes to the file since 6.0.4. After re-adding my pointers to my proxy.pac file, the proxy stuff works again...

best regards,

tom

This is getting annoying: Another new version of Safari (7.0), in Mavericks, another sandbox file to modify in order to use a local .pac proxy file.

The .sb file to modify in order to get this working again is now located here:

/System/Library/PrivateFrameworks/WebKit2.framework/Versions/A/Resources/com.app le.WebKit.NetworkProcess.sb

I added the following line in red at line 24, after into this spot in the beginning of the file:

______________________________________

;; Basic system paths

(subpath "/Library/Frameworks")

(subpath "/Library/Managed Preferences")

;; System and user preferences

(literal "/Library/Preferences/.GlobalPreferences.plist")

(literal "/Users/tfischer/Documents/proxy.pac")

(regex #"^/Library/Managed Preferences/[^/]+/com\.apple\.networkConnect\.plist$")

______________________________________

You will also notice that the "Proxies" section of the Network settings window no longer provides a "Choose File" button in the Proxy Configuration File field: Mavericks now expects you to use a URL. To use a local file, you just need to prefix the full file patch with "file://localhost/" (which is what the "Choose File" button did for you pre-Mavericks). So for my example above, I have the following in the Proxy Configuration File URL field:

file://localhost/Users/tfischer/Documents/proxy.pac

I hope this helps anyone else trying to get Safari to play nice with local .pac files!

best regards,

tom

Hi Everyone,

I stumbled across this post after trying to create my 1st PAC file on a MAC Book Pro running OSX 10.9

As far as I can tell I have done everything suggested within this thread but when I browse the internet it doesn't work.

Here is what I've done,

I've have edited the below file

/System/Library/PrivateFrameworks/WebKit2.framework/Versions/A/Resources/com.app le.WebKit.NetworkProcess.sb

and added the line

;; Basic system paths

(subpath "/Library/Frameworks")

(subpath "/Library/Managed Preferences")

;; System and user preferences

(literal "/Library/Preferences/.GlobalPreferences.plist")

(literal "Users/sbrett/Documents/proxy.pac")

I've added my very basic Pac file to the above highlighted location, the PAC file looks like the below -

function FindProxyForURL(url,host) {

return "PROXY 131.1.2.10:8080; DIRECT";

}

If I specify the proxy server settings within the browser, firefox works fine and I can browse the internet but when I use the proxy.pac file it fails.

I do intend to develop this PAC file further so that certain URLS bypass the proxy and also so that the proxy isn't used when not on the company network, but initialy I'm just trying to get it to work within the company network.

Can anybody provide me with some advice on what i'm doing wrong?

Many Thanks

Ste

Hi Tom,

Thanks very much for your quick response :-)

Unfortunately the missing forward slash ("/") is just in my message on this thread, I did actually type it into the com.app le.WebKit.NetworkProcess.sb file as below. Sorry about that...

(literal "/Users/sbrett/Documents/proxy.pac")

Does this mean that i've followed your guidelines correctly and that my PAC file should work?

Is there a way that I can log what is going on to see what is failing?

Thanks

Ste

Hi Ste,

Your setup looks ok to me. You might be able to see what is going wrong via the Utilities/Console.app, filtering on "webkit" or "proxy" when looking at "All Messages". The only caveat here is that you may also see several "false positive" log messages, which is what I see in my setup - it appears as if the children processes launched by Safari for each tab or new window are not able to read the proxy.pac file. However, at least on my system, this doesn't appear to impact Safari's ability to actually use the proxy configuration - it appears as if only the parent process needs to load the pac file. So, maybe you should first try launching Safari while watching the log messages with Console.app, and look for error messages that get reported at launch-time?

best regards,

tom

It looks like Safari 7.0.3 (released beginning of April 2014) moved the sandbox file that needs to be modified to a new spot again. With this newest release, I was able to get my proxy.conf up and running again by modifying the following file:

/System/Library/StagedFrameworks/Safari/WebKit2.framework/Versions/A/Resources/c om.apple.WebKit.NetworkProcess.sb

I've added the following line in red to line 47 of the file:

____________________________________________

;; Basic system paths

(subpath "/Library/Frameworks")

(subpath "/Library/Managed Preferences")

;; System and user preferences

(literal "/Library/Preferences/.GlobalPreferences.plist")

(literal "/Users/tfischer/Documents/scripts/proxy.pac")

(regex #"^/Library/Managed Preferences/[^/]+/com\.apple\.networkConnect\.plist$")

(home-literal "/Library/Preferences/.GlobalPreferences.plist")

(home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")

(home-regex #"/Library/Preferences/ByHost/com\.apple\.networkConnect\.")

____________________________________________

best regards,

tom

Hello, I've done exactly what you mentioned, but it's still not working. Then I tried to look at the Console.app, it prints

5/24/14 16:00:35.962 sandboxd[492]: ([1170]) com.apple.WebKit(1170) deny file-read-data /Users/ian/Programs/goagent/local/proxy.pac

"deny file-read-data", any solution to this? Thank you!

Hi Ian,

It's hard to tell exactly what process is being denied access to your proxy.pac from the Console.app messages: My proxy config works as described in my previous posts (even after upgrading to Safari 7.0.4), but I also get those "deny file-read-data" messages in my logs all the time. Mail.app also launches com.apple.WebKit processes, and those processes log these same "deny file-read-data" errors. Also, I believe that there is a com.apple.WebKit child process for each tab that you have open in Safari. Each child process may generate the error message as well, but despite this, I've found that the tab is still correctly redirecting traffic to the various SOCKS5 proxies/tunnels defined in the proxy.pac file.

My employer's remote access solution recently moved from an IPsec-based solution (Nortel/Avaya Contivity) to the Juniper SSL solution, with use of the JunOS Pulse client on our Macs/PCs. I've found that when I'm connected to my work's intranet via the JunOS Pulse connection, the proxy.pac stuff no longer works at all. I believe that JunOS Pulse silently replaces the proxy.pac configuration with its own (or just deactivates access to it) in order to correctly establish the SSL / VPN connection. I haven't yet found a way to address this issue. In this case, my hacky, frustrating, workaround has been to use Mozilla Firefox with the proxy.pac file configured via Firefox's preferences options instead of using Safari whenever I need to access sites that would normally be found behind my various proxies.

Have you been able to test the use of your proxy.pac file with all remote access / SSL / VPN software turned off (i.e., just a direct connection to your network)?

Sorry I don't have a better answer than this 😕

best regards,

tom

Hi Tom,

Yes, I can use Chrome as a alternative, as it has a extension called "SwitchySharp" which can be used to switch proxy efficiently. However, I prefer to use Safari as it's more native.. I've tried several times but Safari seems to refuse to use the proxy.pac. Finally, I went to use the apache server service, it's working now.

Thank you for your time!

ian

The problem is global now. Starting with 10.9.2 or 10.9.3 it broke the support. Same thing for 10.10. Same problem with a http proxy config with Apple Configurator on OS X and iOS. Nothing works anymore. I submitted the bug to Apple via the Feedback app. I hope they will take this problem seriously.

It looks like Safari 7.0.6 moved things around again. I was able to get my local proxy.pac file working again by modifying the following file:

/System/Library/StagedFrameworks/Safari/WebKit2.framework/Versions/A/Resources/c om.apple.WebKit.NetworkProcess.sb

I inserted the following line (in red) after line 46 of the file:

____________________________________________

;; System and user preferences

(literal "/Library/Preferences/.GlobalPreferences.plist")

(literal "/Users/tfischer/Documents/scripts/proxy.pac")

(regex #"^/Library/Managed Preferences/[^/]+/com\.apple\.networkConnect\.plist$")

(home-literal "/Library/Preferences/.GlobalPreferences.plist")

(home-regex #"/Library/Preferences/ByHost/\.GlobalPreferences\.")

(home-regex #"/Library/Preferences/ByHost/com\.apple\.networkConnect\.")

(home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist")

(home-literal "/Library/Preferences/com.apple.WebFoundation.plist")

____________________________________________

After making the above change and restarting Safari, the browser started using the proxy.pac file again...

tom

Safari 7.1 broke my proxy.pac setup again, by updating the following file:

/System/Library/StagedFrameworks/Safari/WebKit2.framework/Versions/A/Resources/c om.apple.WebProcess.sb

At this point, I think that directions to allow Safari/WebKit processes to read a proxy.pac file might actually be needed in three separate files:

/System/Library/PrivateFrameworks/WebKit2.framework/Versions/A/Resources/com.app le.WebKit.NetworkProcess.sb

/System/Library/StagedFrameworks/Safari/WebKit2.framework/Versions/A/Resources/c om.apple.WebKit.NetworkProcess.sb

/System/Library/StagedFrameworks/Safari/WebKit2.framework/Versions/A/Resources/c om.apple.WebProcess.sb

Every time Safari gets updated, one of the above three files gets updated, breaking the ability to allow Safari to read my proxy.pac file. Rather than continue to play whack-a-mole, I noticed that at the beginning of all three files, they all contain the following line "(import system.sb)". So, I've moved my fix to the following file:

/System/Library/Sandbox/Profiles/system.sb

I've added the following line (in red) to the above file at line 132:

____________________________________________

;;; (system-network) - Allow access to the network.

(define (system-network)

(allow file-read*

(literal "/Users/tfischer/Documents/scripts/proxy.pac")

(literal "/Library/Preferences/com.apple.networkd.plist"))

(allow mach-lookup

____________________________________________

After adding the above line to system.sb, and restoring the other three .sb files back to their original versions, I'm back in business with Safari being able to read and use a local proxy.pac file...

tom

Local PAC will not work bc of the sandbox mechanism in Lion.

Using a remote (http://) should be fine.

same victim here, and a similar topic below

Safari 5.1 ingores .pac file

https://discussions.apple.com/thread/3194478?answerId=15731770022#15731770022