After I updated to visionOS 26.4, I noticed my website environment would suddenly turn off occasionally while I was watching YouTube in Safari. My M2 AVP was still warm after the update. Is turning off a website environment expected behavior when the headset gets warm (e.g., perhaps to reduce load)? If not, anyone have an idea this might happen?

After updating to visionOS 26.4, I went to Safari's Feature Flags page to reenable Website environment, and I found the Website environment switch had been moved from the top and into the list of switches below. In its place is "Immersive API". I could not find any documentation on this. Anyone know what it is for or can point me to documentation?

We're developing a service that requires webtransport support in the browser. Currently, the only browser that doesn't provide support is the IOS version of Safari. Our current way forward for client use is to flag iphone and ipad as non compliant and recommend either desktop use or android. Is there any ballpark date as to when WebTransport will be included in IOS Safari (- webkit supports webtransport)?

Safari continues to display a "Fraudulent Website Warning" for openvan.camp despite the domain being clean across all major security databases for over a week. Chrome, Firefox, and all other browsers open the site without any warnings. Domain: openvan.camp Warning appeared: March 18, 2026 Warning type: Fraudulent Website Warning (red screen) Current security database status: Google Safe Browsing: ✅ Clean (transparencyreport.google.com) Google Search Console: ✅ No security issues Spamhaus DBL: ✅ Removed from blocklist Fortinet FortiGuard: ✅ Category "Travel" VirusTotal: ✅ 0/65 vendors URLVoid: ✅ 0/35 engines Steps taken: Removed the third-party ad network (Adsterra) that caused the original flag — March 18, 2026 Migrated hosting to Scaleway (AS12876, France), IP: 151.115.84.228 Configured SPF, DKIM, DMARC records Created functional abuse@ and postmaster@ role accounts Submitted review via websitereview.apple.com — no response after 5 days What we believe is happening: Apple's Safe Browsing database appears to have an independent entry for this domain that has not been updated despite all underlying security databases clearing the flag. Safari's warning persists even after deleting ~/Library/Safari/SafeBrowsing/ cache and re-downloading the database — which confirms this is not a local cache issue. Steps to reproduce: Open Safari on macOS or iOS Navigate to https://openvan.camp/ Safari displays "Fraudulent Website Warning" Open the same URL in Chrome — no warning Expected behavior: No warning should be shown. The domain is legitimate, clean, and verified. Has anyone experienced a similar issue? Is there any additional channel to escalate beyond websitereview.apple.com?

Thank you again for pushing the web forward in VisionOS 2, super exciting! The latest WWDC24 video touched on VR experiences for VisionOS2.0 using WebXR, however there was no mention of passthrough AR experiences. Samples such as this one are not supported: https://immersive-web.github.io/webxr-samples/immersive-ar-session.html In Settings > Safari, there is a feature flag for the AR WebXR module, but enabling it did not seem to change anything. Is this the expected behavior at this time? Any developer preview(s) we could try?

Considering how important smooth/continuous corners are for Apple throughout their various native platforms (and hardware), can we expect Safari to soon adopt this CSS feature? It's already live in Chrome https://developer.mozilla.org/en-US/docs/Web/CSS/Reference/Properties/corner-shape For those who are unfamiliar with smooth corners and how Apple uses them: https://www.youtube.com/watch?v=YElVQqNwrJ4&t=110s

Hi, We're experiencing a WKWebView issue where the screen intermittently turns pure magenta (#FF00FF) in our production iOS app. After investigation, we traced this to WebKit's internal WKCompositingView.mm where [UIColor magentaColor] is used as a pending state indicator when coverView.hidden == NO. This matches rdar://163597990 / WebKit Bug 303157 ("Magenta flash when loading page"), which was fixed in commit 303720@main on 2025-12-01 via PR #54499. My question is simple: which iOS/Safari release includes this fix? We're on iOS 26.3 and still seeing the issue. We need to know: Is the fix already in iOS 26.3? (If so, there may be another unfixed code path) If not, which upcoming iOS version will include it? Our environment iOS 26.3, iPhone 15 Pro Max WKWebView with complex web content App codebase contains zero magenta color usage — this is purely from WebKit Related rdar://163597990 Bug 303157 — RESOLVED FIXED Bug 230531 — "Pages render as magenta after being in background" PR #54499 — Merged to main 2025-12-01 Any information about the release timeline would be very helpful. Thanks!

I am reporting what appears to be a serious integrity flaw in Safari under iPadOS 26.3 (and lower) that materially undermines the reliability of Screen Time parental controls. This is not merely a UX inconsistency but a functional contradiction within a system explicitly marketed and positioned as secure parental control infrastructure. Device / Environment Device: iPad Air M3 13" (2025) OS: iPadOS 26.3 Safari (system version) Screen Time enabled with active restrictions Child account (10 years old) Background We deliberately chose an Apple device for school use based on the expectation that Apple’s system-level parental control mechanisms — especially Screen Time — are robust, tamper-resistant, and technically consistent. Screen Time is configured with: App limits Downtime Parental controls enabled with limited web content restrictions (school requirements prevent strict blocking) Safari enabled (mandatory for educational use) further parental control restrictions Because aggressive website blocking would interfere with legitimate school activities, monitoring Safari browsing history is a central supervisory mechanism. When Screen Time is active: Clearing the entire browsing history via Safari is correctly blocked. Clearing history via system settings is correctly blocked. The system explicitly communicates that deletion is not permitted due to Screen Time restrictions. This behavior establishes a clear user expectation: Browsing history is protected against manipulation. The Issue Despite the above safeguards, individual browsing history entries can be deleted easily and silently through the address bar suggestion interface. This creates a structural contradiction: Full deletion is blocked. Selective deletion — which is arguably more problematic — remains possible. Steps to Reproduce Enable Screen Time with restrictions that prevent deletion of browsing history (for example on a student device with a child account). Open Safari and visit any website. Confirm it appears in Safari history. Tap the Safari address bar. Type part of the URL or page title. Safari suggests the previously visited page below the address bar. Swipe left on that suggestion. A red “Delete from History” button appears. Tap it. Actual Result The entry disappears immediately: No Screen Time PIN required No authentication request No warning No restriction triggered No parental notification No audit trace visible Deletion occurs silently and irreversibly. Expected Result When Screen Time is configured to prevent browsing history deletion: Individual entries must not be deletable Deletion must require Screen Time authentication Anything else defeats the protective purpose of the restriction. Real-World Impact In practical use, this allows minors to selectively sanitize browsing history while preserving a seemingly intact record. In our case, this method is widely known among classmates and routinely used to conceal visits to gaming or social media platforms during school hours. The technical barrier to exploitation is negligible. This results in: A false sense of security for parents A discrepancy between advertised functionality and actual system behavior A material weakening of parental control integrity When a system explicitly blocks full history deletion but permits silent selective deletion, the protection mechanism becomes functionally inconsistent and unreliable. Given that Screen Time is publicly positioned as a dependable parental control framework, this issue raises concerns not only about implementation quality but also about user trust and reasonable reliance on advertised safeguards. Request Please classify this as a parental control integrity and trust issue. Specifically: Disable individual history deletion while Screen Time restrictions are active OR Require Screen Time passcode authentication for deleting single entries Screen Time is presented as a secure supervisory environment for minors. In its current implementation under iPadOS 26.3 and before, that expectation is technically not met. This issue warrants prioritization.

Steps to reproduce: Create a CSS grid with fractional column widths e.g. grid-template-columns: repeat(3, 518.7875px) Set browser zoom to 85% or 115% Observe columns misalign with background-size pattern Expected: Columns render consistently at all zoom levels Actual: Subpixel rounding causes visual misalignment macOS: 13/14/15 inch MacBook

We are developing a mobile-first, browser-only web application that requires users to upload 20–200 images stored inside a single folder (for example, a merchant product directory). On iOS Safari: window.showDirectoryPicker() is not supported. is not supported. File System Access API is not available. Users must manually multi-select images from the Photos picker. This creates significant friction for bulk upload workflows. We are NOT requesting unrestricted file system access. We are asking whether a privacy-preserving, user-granted folder-scoped permission model is being considered for web applications. For example: User explicitly selects a folder. The web app receives scoped access only to that selected folder. Access is session-bound and revocable. No background or global storage access is required. Questions: Is folder-level access for web apps being considered for iOS Safari? Does installing a PWA provide any enhanced file access capability? Are there recommended best practices for handling bulk image uploads in browser-only iOS applications? Is there any roadmap alignment with the File System Access API standard? Our goal is to remain browser-only and maintain strict user privacy while improving usability for high-volume image workflows. Any clarification on intended platform direction would be appreciated.

I created a form field using: On Safari and Chrome desktop, it behaves as expected. Safari shows the current date in grey by default, and Chrome displays a format hint like dd.mm.yyyy, which is perfectly fine. On iOS, however, the field appears completely blank. I understand that the placeholder attribute is not part of the iOS date input behavior, which is technically fine. Still, it would be helpful if developers had the option to define a default display value. In the past, browsers prefilled date inputs, but many developers objected because they needed the field to be empty by default. I have searched extensively and tried several AI tools, and everywhere it says that this cannot be changed. Am I missing something, or is there any way to display a placeholder, the current date, or some kind of visual hint in iOS Safari? Right now, the empty field creates poor UX because users may overlook it. Since the field is required, this can easily lead to validation errors and additional friction. As a workaround, I used a CSS hack with input[type="date"]::before and a content attribute. I also added JavaScript to toggle a pseudo-placeholder value specifically for iOS. Is there a cleaner solution that avoids this workaround? Thanks in advance for your guidance.

Summary: We are facing a serious issue on iPhone where multiple passkey authentication problems occur when accessing passkey-enabled login pages via shortcuts placed on the iPhone Home Screen. These issues may also occur when opening the same pages directly in a standard browser window. However, launching the login pages from a Home Screen shortcut appears to increase the likelihood of encountering these issues. Affected Services (examples, not exhaustive): Amazon GitHub Adobe Observed Issues: Issue 1: A passkey authentication dialog/popup shows two times without any user operation: What happens due to this issue: Login does not complete after the first passkey authentication. A second passkey authentication UI automatically appears. Completing or canceling the second authentication allows the login to proceed. Issue 2: Login remains stuck until the user manually invokes passkey again What happens due to this issue: The login page does not advance after the first authentication. The user must tap the ID/username field again to manually trigger the passkey UI. Completing the second authentication enables login. Issue 3: Automatic second authentication occurs, but login still fails What happens due to this issue: A second automatic authentication UI appears. Login still does not complete. Tapping the ID field no longer opens the passkey UI; instead, the password auto-fill panel appears. Passkey login becomes impossible. Observed reproduction steps (not guaranteed but most consistently observed): On iPhone, navigate to a passkey-enabled login page (e.g., Amazon, GitHub, Adobe) using a browser. Create a shortcut from the browser's share menu and place it on the Home Screen. Launch the login page from the Home Screen shortcut. Tap the ID/username field to invoke the passkey prompt. Complete passkey authentication. → One of the issues described above occurs. Environment: Device: iPhone SE OS: iOS 18.6.2

We're trying to implement Cross-domain session check for SSO by making CORS request. is Intelligent Tracking Prevention blocks all cookies in CORS requests? I saw all cookies are blocked in CORS requests. We are not able to check the auth session in source domain. Are there anyway to bypass this without user interaction? benefitier.com -> source.com

Issue: On Safari, two Smart App Banners appear for the same webpage when the iOS app is installed. Cause: • Banner 1: Native Apple Smart App Banner, automatically triggered by Safari via AASA / Universal Links. • Banner 2: Smart banner injected by a third-party SDK (Branch.io). • Both operate independently, resulting in duplicate banners. Finding: Safari’s native Smart App Banner behavior is system-controlled and cannot be disabled programmatically using web rules or JavaScript while Universal Links are enabled. Question: Is this behavior expected by design? Is there any Apple-supported way to suppress the native Smart App Banner when using a third-party banner, or is the recommended approach to rely on only one banner system?

When using iOS 26.2 (23C55) Safari, the following can occur. The current tab (A) opens a new tab (B) via window.open(url, target, windowFeatures). The user clicks the "back" button to close tab B, and returns to tab A. Tab A attempts to open tab B again at a later point, using the same "target" as before, and fails (no window object is returned by window.open). This bug only occurs when the target is the same as the previously closed tab (which was closed via the back button). If a new target is specified, the new tab opens as expected. This bug is also limited to the back button. If the user manually closes tab B, then it can be re-opened by tab A using window.open using the same target as before.

Hello Friends, This is my first post so would love any suggestions on how to make posts here. So I have a shopify widget which is type of clone for Instagram stories, with videos but I noticed some issues where my videos are kind of unresponsive or just shuts down. Below is the screen shot of the issue: This problem I noticed on iPhone 11 Pro on clients phone, the IOS version is below 26. Some times my iPhone 13 also faces same issue but only when battery is low and multiple heavy apps are opened. Attached a code block also: {validStories.map((story) => { const videoUrl = extractVideoUrl(story.sv?.[0]?.m); const storyThumbnail = story.tu && story.tu.length > 0 ? story.tu : null; const videoThumbnail = story.sv?.[0]?.m?.[0]?.t && story.sv[0].m[0].t.length > 0 ? story.sv[0].m[0].t : null; const thumbnailUrl = storyThumbnail || videoThumbnail; const hasThumbnail = !!thumbnailUrl; const isPlaying = playingVideoIds.has(story.i); const shouldRenderWrapper = hasThumbnail || isPlaying; return ( <div key={story.i} className="ins-story-item" onClick={(e) => { handleActiveStoryChange(story.i, e); handleActiveVideoId(story.i); }} style={{ position: "relative", zIndex: 1 }} > {shouldRenderWrapper && ( <div className="ins-story-circle-wrapper" style={{ position: "relative", overflow: "hidden" }} > {hasThumbnail && !isPlaying && ( <img src={thumbnailUrl} alt={story.t} className="ins-story-image" onError={() => { console.log( `[Story ${story.i}] Thumbnail failed to load: ${thumbnailUrl}` ); }} /> )} <video src={videoUrl} className="ins-story-video" autoPlay={true} muted playsInline loop onLoadedData={() => handleVideoPlaying(story.i)} onPlaying={() => handleVideoPlaying(story.i)} onError={(e) => { console.log(`[Story ${story.i}] Video error`, e); }} /> </div> )} {story.t !== "New Collection" && ( <span className="ins-story-title">{story.t}</span> )} </div> ); })} </div> {activeStoryId && <StoryModal />} </>```

We operate a native iOS app that authenticates users via the system browser using OIDC against a 3rd party SaaS authentication broker, which then performs authentication against the individual customer IdPs using SAML within the browser session, and then completes the OIDC login between the broker and our application. Our application initiates the OIDC login using ASWebAuthenticationSession, using the broker’s library, against the broker, and at that point the authentication workflow is handled by the broker. At the beginning of the login session, the broker sets a session-identifying cookie for their domain, before redirecting the user to their company’s identity provider to authenticate, which then redirects the user back to the broker. Intermittently, Mobile Safari does not include that previously set cookie on the final communication with the broker, when being redirected from the IdP as the final step of the SAML portion of the login workflow. When the cookie is missing, the broker cannot correlate the authentication response to the original request and the login fails, even though the user successfully authenticated at their identity provider. The same user can sometimes find success after retrying on the same device minutes later, without any changes. When we first started diagnosing this issue, we were seeing about a 20% rate of these errors across all Mobile Safari logins, which we can identify fairly conclusively (from provider logs, based on their guidance) as being caused by the session cookie set in one request not being provided on the subsequent request to the same domain. Our authentication broker provider has indicated, based on their server logs, and logs from an affected device, that this behavior is caused by Mobile Safari’s Intelligent Tracking Protection (ITP) causing Mobile Safari to not send the login session cookie to the broker when handling the SAML redirect from the IdP back to them. Our authentication broker provider recommended that we switch the SAML Request binding setting from POST to Redirect in the SAML configurations against our customer IdPs, which reduced the rate of these errors to about 5% for most of our customers. However, we have at least one customer which is still seeing about a 20% rate in these errors for Mobile Safari logins after this change, and even a 5% error rate seems high. Our authentication broker has not been able to suggest any further remediation options, and has suggested we contact Apple for assistance. Our questions are: Is it reasonable to assume that ITP is causing this issue? Is there any way to confirm, conclusively, that ITP has caused a previously-set cookie to not be provided on a subsequent request to the same domain, i.e. via device logs? If so, are there any steps which can be taken to reduce or eliminate this error? Changes to how ASWebAuthenticationSession is invoked? Changes to the Authentication Broker which would reduce the chance of ITP being triggered? Changes to the Customer IdP configuration which would reduce the chance of ITP being triggered?

I’m a developer working on a Safari Web Extension that’s distributed via the App Store and also tested locally through Xcode. I’m running into an issue that’s affecting my ability to debug errors reported to my Sentry error logging instance from production. The Problem When an error is thrown in one of my extension scripts (e.g., background.js, popup.js, or content.js), the error is sent to Sentry but the captured JavaScript error stack trace replaces the file paths with the webkit-masked-url://hidden placeholder like this: ReferenceError: Cannot access uninitialized variable. at ? (webkit-masked-url://hidden/:14677:28) at ? (webkit-masked-url://hidden/:16307:3) This happens consistently across both App Store builds and local Xcode runs. It prevents me from seeing which script the error came from or resolving the actual source code lines using uploaded source maps in Sentry. My Setup Safari Version: 18.5 (Stable on macOS) Distribution: App Store and local Xcode development Extension Type: Safari Web Extension Error Reporting: Sentry (@sentry/browser SDK) Bundler: Webpack with inline-source-map What I’ve Confirmed I can see the actual source files in Safari’s Web Inspector under the Sources tab when the extension is running. My source maps are uploaded to Sentry correctly and are associated with the matching release. Errors from Safari are being captured by Sentry, but the file URLs are masked, so stack traces cannot be resolved against my original source. My Question Is this behavior (masking file URLs in stack traces with webkit-masked-url://hidden/) intentional for Safari Web Extensions? If so, is there any supported method or workaround to allow exception stack traces to reveal the original script path (e.g., popup.js, background.js) so tools like Sentry or even console logs can point to real locations? I fully understand the privacy/security rationale behind the masking, but as the extension developer, this is making it extremely difficult to debug runtime issues in production. I’d really appreciate any insight into: Whether this masking is expected and permanent behavior If there are any entitlements, debug settings, or Info.plist keys that can alter this behavior for development or for trusted/own extensions If Apple recommends a different way to log extension errors that includes script name or source references Thanks in advance for your help! I’m happy to share more technical details or try out suggestions.

I want to migrate from a Safari App Extension to a Safari Web Extension, but don't know how to get rid of the message, telling users that my extension can access their passwords. Here is a message which I see: I was thinking that this might be because all Safari Web Extension get this type of access, but I have a Safari Web Extension which does not require such level of access: Here is the manifest: { "manifest_version": 2, "default_locale": "en", "name": "__MSG_extension_name__", "description": "__MSG_extension_description__", "version": "1.1", "icons": { "48": "images/icon-48.png" }, "background": { "scripts": [ "background.js" ], "persistent": true }, "browser_action": { "default_popup": "popup.html", "default_icon": { "16": "images/toolbar-icon-16.png" } }, "permissions": [ "nativeMessaging", "tabs" ] } and here is the Info.plist file: Here is the entire code of the extension: https://github.com/kopyl/web-extension-simplified

It seems Safari 18's fetch() does not include credentials even credentials: include and safari extension has host_permissions for that domain. Is there anyone has this problem? I try to request in popup.js like this: const response = await fetch( url, { method: 'GET', mode: 'cors', credentials: 'include', referrerPolicy: 'no-referrer', } ); and it does not include the cookie from host_permissions. Those code worked in Safari 17 (macOS Sonoma).