We have a SAML-based SSO App Extension that uses WKWebView to load the SAML login request. This implementation has been working correctly on iOS versions prior to 26. However, starting with iOS 26, the extension consistently crashes when calling WKWebView.load(_:).
The crash occurs inside WebKit, specifically in:
/Library/Caches/com.apple.xbs/Sources/WebKit/Source/WebKit/UIProcess/WebsiteData/WebsiteDataStore.cpp
at
WebKit::WebPageProxy::loadRequest(...)
No app-level exception is thrown, and the extension terminates with:
Thread 10: EXC_BREAKPOINT (code=1, subcode=0x1a31dbe00)
It appears that WKWebView initialization or WebsiteDataStore creation is now restricted in extension contexts on iOS 26, but this change is not documented in the SDK release notes. Could you please confirm if this is an intentional sandbox restriction in iOS 26 or a regression in WebKit?
Steps to reproduce:
Implement an App Extension using ASAuthorizationProviderExtensionAuthorizationRequest.
Create a WKWebView instance in the extension.
Attempt to load a SAML login request (POST request with headers).
Observe immediate crash on iOS 26 (works fine on earlier versions).
Expected behavior:
WKWebView should load the request or fail gracefully as in prior releases, without crashing the extension process.
Request:
Please clarify if WKWebView usage inside extensions is officially unsupported as of iOS 26, and if so, recommend an alternative approach for handling SSO flows.
Oi vey! You’re calling WKWebView from a secondary thread:
Thread 4 Crashed:
…
7 WebKit … -[WKWebView loadRequest:] + 160
8 SSOExtension.debug.dylib … closure #1 in closure #2 in AuthenticationViewController.beginAuthorization(with:) + 2132
9 SSOExtension.debug.dylib … ChallengeApiHelper.performChallengeApiRequest(authorizationRequest:deviceId:completionHandler:) + 1952
10 SSOExtension.debug.dylib … closure #2 in AuthenticationViewController.beginAuthorization(with:) + 2012
11 SSOExtension.debug.dylib … thunk for @escaping @callee_guaranteed @Sendable (@unowned Bool, @guaranteed Error?) -> () + 132
12 AppSSO … __81-[SOAuthorizationRequest presentAuthorizationViewControllerWithHints:completion:]_block_invoke + 248
That’s so not allowed, and it’s triggering a trap that crashes your process.
Weirdly, the WebKit Features for Safari 26.1 blog post lists this:
- Fixed a crash when an app uses WKWebView::loadRequest API on background threads. (162225842)
So clearly you’re not the only one doing this O-: However, that still doesn’t make it right, and you need to fix your code.
Looking at how you got here, frame 10 seems to be key. This symbolicated as closure #2 in AuthenticationViewController.beginAuthorization(with:) + 2012. Now, beginAuthorization(with:) is documented to be called on the main thread. However, this isn’t that method per se, but rather a closure within that method. So, something inside that method is calling a system whose completion handler is being called on a secondary thread.
Based on frame 12, I suspect that’s your call to the presentAuthorizationViewController(completion:) method. It’s completion handler is not documented to be called on the main thread, and I think that’s the root cause of your problem here: In that completion handler you need to bounce to the main thread before calling WebKit.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
