Hello! I have a few questions about integrating an OAuth2 API into my Swift application. I am using this API to access user data from the website (users will authenticate themselves within the app). I have seen other apps use this API in the way that I am describing it so I know that it is possible. However, I am not sure how to implement it. Are there any recommended ways to use an OAuth2 API in my application? The API that I am using does not specifically say that it supports PKCE. However, I have heard from some sources that it does. If it does not support PKCE, how do I still create a secure app infrastructure that will pass App Store Review? At a more basic level, what is the difference between OAuth2 and PKCE? What should I use in my app? Are there any resources to learn a little bit more about these protocols so that I understand them better? Thanks!

I'm not loving the huge Favorites icons in Safari on MacOS 26, is there a way to reduce the size of them so that we can see more favorites on the list without scrolling down?

Hello there, For a video like this <video src="blob:safari-web-extension://***" autoplay="" loop="" style="position: absolute; top: 0px; left: 0px; width: 100%; height: 100%; object-fit: cover; z-index: -1;"></video>, no matter if its local or remote, blob or mp4 files, is constantly being reloaded (refetched? revalidated?) if the loop tag is added. I can confirm there is actual constant traffic from the server based on my server logs. I am running iOS/macOS 26.

How can I make a background image take the entire screen in ios26? I've tried position fixed, sticky, env() css variables but nothing worked. It does it when in PWA mode, but I would like to do so in the browser too.

I'm trying to download mods for Stardew Valley, before the beta it worked but now it doesn't. Is there anyone who can help to fix this? Used Firefox and Safari as well as Safari on my ipad.

We are working on an internal enterprise iOS application which we need to host a pretty complex web page inside. We have been reading regarding the WKWebView and how it performs inside of iOS shell, but there is no real data on what are the limitation of the WKWebView in terms of memory for the hosted Web Page. Let's say we could measure our iOS app before the WKWebView is launched and after it is launched. We see that the memory consumption of the web page loaded into WKWebView is X mb. How would we know that iOS would allow an app with such webpage loaded into WKWebView and won't terminate the app which the web page is loaded. Is there any documentation regarding on what is the maximum allowed memory for the web page which is hosted inside of WKWebView? And another question, for the Enterprise Developer Program are there any ways to increase the limit of the memory a specific iOS app is allowed to consume before it is terminated from iOS device due to low memory warning from iOS?

Hello, We received a rejection on one of our IOS applications because we were doing Microsoft MSAL login through the user's browser. The representative recommended that we use Webview to do in-app logins. However when we tried to handle the custom app uri redirection (looking like myapp://auth/), Webview does not seem to send the user back to the application. Does anyone have a fix for this? Thanks!

After reading several posts I see that I need to add the "com.apple.developer.web-browser.public-key-credential" capability to my macOS app in order to get it to work. So my noob question is where do I request this capability? Can I as a developer request it or does the Account owner need to request it? Once approved, how do I add it to my app's capabilities? Thanks for your patience

Hello We've encountered an issue with WKWebView in the latest iOS 26 beta. When loading a PDF URL, the background of the PDF viewer now displays as a dark gray instead of the expected white. Device: iOS 26 Simulator/Device Component: WKWebView Issue: The background color of the loaded PDF is gray. Expected Behavior: The background should be white, as it has been in all previous iOS versions. Link for Testing: https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf We confirmed that the same PDF and code render with a white background on iOS 26 and earlier. Questions: Is this an intentional change in iOS 26's WKWebView? If so, is there a new property or configuration setting available to control the background color of the PDF viewer within WKWebView? We would like to have the ability to set it back to white. Any insights, workarounds, or information on this matter would be greatly appreciated. Thank you.

Create shortcut to open chrome with url and put it on the desktop. Tap the shortcut. Tap the username text field. When launching Safari from an iOS shortcut on an iOS device with a valid passkey registered, the passkey suggestion does not appear; instead, the password suggestion appears sometimes.

I coded two demo websites as follows (both written in NextJS): Website 1: I coded an interval counter that increments every 1 second. Website 2: I used the MediaRecorder API (described in the WebKit documentation: https://webkit.org/blog/11353/mediarecorder-api/). In the ondataavailable function, I periodically send a blob (once every 1 second) to my server. In the backend, I coded a POST API to upload this blob. I noticed that with website 1, the interval doesn't work when I run Safari in the background, even on iOS and iPadOS. However, website 2 works, meaning it still calls my API normally (I tried running Safari in the background for about 1-2 hours and it worked). So, does this mean Apple allows native APIs like MediaRecorder and its callbacks to run in the background?

Hello Friends, This is my first post so would love any suggestions on how to make posts here. So I have a shopify widget which is type of clone for Instagram stories, with videos but I noticed some issues where my videos are kind of unresponsive or just shuts down. Below is the screen shot of the issue: This problem I noticed on iPhone 11 Pro on clients phone, the IOS version is below 26. Some times my iPhone 13 also faces same issue but only when battery is low and multiple heavy apps are opened. Attached a code block also: {validStories.map((story) => { const videoUrl = extractVideoUrl(story.sv?.[0]?.m); const storyThumbnail = story.tu && story.tu.length > 0 ? story.tu : null; const videoThumbnail = story.sv?.[0]?.m?.[0]?.t && story.sv[0].m[0].t.length > 0 ? story.sv[0].m[0].t : null; const thumbnailUrl = storyThumbnail || videoThumbnail; const hasThumbnail = !!thumbnailUrl; const isPlaying = playingVideoIds.has(story.i); const shouldRenderWrapper = hasThumbnail || isPlaying; return ( <div key={story.i} className="ins-story-item" onClick={(e) => { handleActiveStoryChange(story.i, e); handleActiveVideoId(story.i); }} style={{ position: "relative", zIndex: 1 }} > {shouldRenderWrapper && ( <div className="ins-story-circle-wrapper" style={{ position: "relative", overflow: "hidden" }} > {hasThumbnail && !isPlaying && ( <img src={thumbnailUrl} alt={story.t} className="ins-story-image" onError={() => { console.log( `[Story ${story.i}] Thumbnail failed to load: ${thumbnailUrl}` ); }} /> )} <video src={videoUrl} className="ins-story-video" autoPlay={true} muted playsInline loop onLoadedData={() => handleVideoPlaying(story.i)} onPlaying={() => handleVideoPlaying(story.i)} onError={(e) => { console.log(`[Story ${story.i}] Video error`, e); }} /> </div> )} {story.t !== "New Collection" && ( <span className="ins-story-title">{story.t}</span> )} </div> ); })} </div> {activeStoryId && <StoryModal />} </>```

Issue: On Safari, two Smart App Banners appear for the same webpage when the iOS app is installed. Cause: • Banner 1: Native Apple Smart App Banner, automatically triggered by Safari via AASA / Universal Links. • Banner 2: Smart banner injected by a third-party SDK (Branch.io). • Both operate independently, resulting in duplicate banners. Finding: Safari’s native Smart App Banner behavior is system-controlled and cannot be disabled programmatically using web rules or JavaScript while Universal Links are enabled. Question: Is this behavior expected by design? Is there any Apple-supported way to suppress the native Smart App Banner when using a third-party banner, or is the recommended approach to rely on only one banner system?

We're trying to implement Cross-domain session check for SSO by making CORS request. is Intelligent Tracking Prevention blocks all cookies in CORS requests? I saw all cookies are blocked in CORS requests. We are not able to check the auth session in source domain. Are there anyway to bypass this without user interaction? benefitier.com -> source.com

Summary: We are facing a serious issue on iPhone where multiple passkey authentication problems occur when accessing passkey-enabled login pages via shortcuts placed on the iPhone Home Screen. These issues may also occur when opening the same pages directly in a standard browser window. However, launching the login pages from a Home Screen shortcut appears to increase the likelihood of encountering these issues. Affected Services (examples, not exhaustive): Amazon GitHub Adobe Observed Issues: Issue 1: A passkey authentication dialog/popup shows two times without any user operation: What happens due to this issue: Login does not complete after the first passkey authentication. A second passkey authentication UI automatically appears. Completing or canceling the second authentication allows the login to proceed. Issue 2: Login remains stuck until the user manually invokes passkey again What happens due to this issue: The login page does not advance after the first authentication. The user must tap the ID/username field again to manually trigger the passkey UI. Completing the second authentication enables login. Issue 3: Automatic second authentication occurs, but login still fails What happens due to this issue: A second automatic authentication UI appears. Login still does not complete. Tapping the ID field no longer opens the passkey UI; instead, the password auto-fill panel appears. Passkey login becomes impossible. Observed reproduction steps (not guaranteed but most consistently observed): On iPhone, navigate to a passkey-enabled login page (e.g., Amazon, GitHub, Adobe) using a browser. Create a shortcut from the browser's share menu and place it on the Home Screen. Launch the login page from the Home Screen shortcut. Tap the ID/username field to invoke the passkey prompt. Complete passkey authentication. → One of the issues described above occurs. Environment: Device: iPhone SE OS: iOS 18.6.2

Does webkit have a way to display a smart banner for a home screen web app similar to how a smart banner can be displayed for native apps? I recently noticed (10/23) that Twitter showed a smart banner encouraging Home Screen web app on my Mac running Sonoma. How is this done?

Hi! We are having a hard time with the universal link, help is appreciated! Thanks in advance! The universal link doesn't work after installation for some time. A user has to wait for from 5 to a couple of hours after the app is installed on the device. This has also affected App reviewers since we need the universal link to work for successful login. Each submission will receive a rejection of we cannot login and it will be approved until we kindly ask them to try again. I believe the JSON is delivered to devices by Apple's CDN system and the fact that it works on most devices most of the time should imply that we have a valid apple-app-site-association setup. So I am really confused about the wait time, which is giving us trouble with app review and a bad user experience

In a project to create a web extension for Safari, using scripting.registerContentScript() API to inject a bunch of scripts into web pages, I needed to manage a dynamic whitelist (i.e., web pages where the scripts should not be injected). Fortunately, scripting.registerContentScripts() gives you the option of defining a list of web pages to be considered as a whitelist, using the excludeMatches parameter in the directive, to represent an array of pages where the script should not be injected. Here just a sample of what I mean: const matches = ['*://*/*']; const excludeMatches = ['*://*.example.com/*']; const directive = { id: 'injected-jstest', js: ['injectedscript.js'], matches: matches, excludeMatches: excludeMatches, persistAcrossSessions: false, runAt: 'document_start' }; await browser.scripting.registerContentScripts([directive]) .catch(reason => { console.log("[SW] >>> inject script error:",reason); }); Of course, the whitelist (the excludeMatches array) is not static, but varies over time according to the needs of the moment. Everything works perfectly in Chromium browsers (Chrome, Edge, ...) and Firefox, but fails miserably in Safari. In fact, Safari seems to completely ignore the excludeMatches parameter and injects the script even where it should not. Has anyone had the same problem and solved it somehow? NOTE : To test the correctness and capabilities of the API in each browser, I created a simple repository on Github with the extension code for Chromium, Firefox and Safari (XCode project).

I am trying to build and run a Safari Web Extension from Xcode and I have enabled "Allow unsigned extensions" in Safari settings. However, I see the below pop up: And, if click on the "Quit and Open Safari Extensions Preferences..." button, the project stops running on Xcode and nothing happens. What can be the issue? The extension works and runs fine if I get it from the Mac App Store and this only happens when running from Xcode. I even tried completely uninstalling the mac app store version and still facing the same issue.

Please update Accessibility OS Settings for VoiceOver in iPhone iOS and iPadOS to include frames on the Rotor, and to make web navigation and component gestures easier to find and assign. Please add content to the iPhone and iPad Apple User Guide to use VoiceOver in web navigation with touch gestures. Specifically... iframes. There is no clear guidance in Apple documentation for VoiceOver users in iPhone or iPadOS to access iframes with touch gestures. A common belief as written on AppleVis, other blogs, and internet searches is that iframes in Safari or a webView in an app are only available with explore by touch. If explore by touch is the only option for some interactions, that needs to be included in Apple User Guides. If not, details on equivalent touch gestures for VO that have keyboard interactions in Mac need to be clear for users. VoiceOver for Mac includes a default keyboard interaction of VO-Command-F in its extensive User Guide (https://support.apple.com/guide/voiceover/by-images-or-frames-mchlp2740/mac). A user can include a rotor option for web navigation for iframes. VoiceOver for iPhone and iPad does not include a default swipe gesture assigned to frames. An option is not available for the Rotor. While there is iPhone User Guide guidance that gestures can be customized (https://support.apple.com/guide/iphone/customize-gestures-and-keyboard-shortcuts-iph59a8e6fd2/18.0/ios/18.0), it is not clear that for adding this gesture, "Move to the next frame" is tucked into the advanced navigation commands for VoiceOver Accessibility Settings in the OS. At least in my phone, the word "frame" was not searchable despite the All Commands screen using a search bar.