WebAuthn can be used in Safari, but when using it with WKWebView, you need to set the default browser definition (com.apple.developer.web-browser). Is this correct? Also, is it possible that the terms of use will change or that it will no longer be available in WKWebView in the future?

0x158c2ce18 - [pageProxyID=33, webPageID=34, PID=883] WebPageProxy::didFailProvisionalLoadForFrame: frameID=4294967298, isMainFrame=1, domain=NSURLErrorDomain, code=-999, isMainFrame=1, willInternallyHandleFailure=0 Error Domain=NSURLErrorDomain Code=-999 "已取消" UserInfo={_NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <9A09D8F8-351D-4BE3-A1F7-0E2E325DC7BA>.<4>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <9A09D8F8-351D-4BE3-A1F7-0E2E325DC7BA>.<4>" ), NSLocalizedDescription=已取消, _WKRecoveryAttempterErrorKey=<WKReloadFrameErrorRecoveryAttempter: 0x159acf6c0>, networkTaskDescription=LocalDataTask <9A09D8F8-351D-4BE3-A1F7-0E2E325DC7BA>.<4>, NSErrorFailingURLStringKey=https://oamobile.zmmc.com.cn:28385/pages/Reports/ZBReport.aspx?ShowInLegend=true&appid=69b487001fcc11bc30c7344e50768c3c&userid=9784299b-cced-4702-91b0-0476511ba8d2, NSErrorFailingURLKey=https://oamobile.zmmc.com.cn:28385/pages/Reports/ZBReport.aspx?ShowInLegend=true&appid=69b487001fcc11bc30c7344e50768c3c&userid=9784299b-cced-4702-91b0-0476511ba8d2, networkTaskMetricsPrivacyStance=Unknown} Failed to terminate process: Error Domain=com.apple.extensionKit.errorDomain Code=18 "(null)" UserInfo={NSUnderlyingError=0x159bd1830 {Error Domain=RBSRequestErrorDomain Code=3 "No such process found" UserInfo={NSLocalizedFailureReason=No such process found}}} After upgrade to ios 26， if WKWebView load url which did not contain "#" will always ok. but load url contain “#” will cancel when start load, then result in white screen

We are currently implementing the payment flow, and for handling payment details — including card entry and validation — we are utilizing a WKWebView. The webview securely loads the payment provider’s page, ensuring sensitive information such as card numbers are entered and validated directly within the web context. I’d like to clarify that this change has not yet been released to Production. As part of a feature enhancement to our existing payment flow, we are transitioning to a new payment vendor, SnapPay. While trying to load the SnapPay URL embedded within an iFrame in our iOS app, I observed the following error in the Xcode console. While this error may be generic, I wanted to highlight it: 825a18 - [pageProxyID=7, webPageID=8, PID=67346] WebPageProxy::didFailLoadForFrame: frameID=24, isMainFrame=0, domain=NSURLErrorDomain, code=-999 Upon investigating, we compared the headers from our existing payment URL and SnapPay's URL, and found that SnapPay includes the following Content-Security-Policy (CSP) header: Content-Security-Policy: frame-ancestors ... "Content-Security-Policy" value="default-src 'self'; script-src 'self' https://hcaptcha.com https://.hcaptcha.com https://code.jquery.com https://www.gstatic.com https://code.jquery.com/jquery-3.3.1.min.js https://test.lightbox.cardx.com/v1/lightbox.min.js https://www.ssa.gov/accessibility/andi/ https://c.evidon.com 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://hcaptcha.com https://.hcaptcha.com https://fonts.googleapis.com/css https://stage.snappayglobal.com/Resource/ https://www.ssa.gov/accessibility/andi/andi.css 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' *.googleapis.com *.gstatic.com ; connect-src 'self' https://demo1.cditechnology.com https:; form-action https://hcaptcha.com https: 'self' *.ipg-online.com secure.bluepay.com https://test.api.lightbox.cardx.com https://3ds-acs.test.modirum.com/ https://demo1.cditechnology.com/; frame-ancestors https://snappaydirect-perf.fiserv.com 'self' file: https: http; frame-src .snappayglobal.com 'self' https://hcaptcha.com https://.hcaptcha.com https: https://www.google.com .ipg-online.com secure.bluepay.com https://.cardconnect.com https://test.api.lightbox.cardx.com/ https://test.lightbox.cardx.com https://paywithcardx.com/payment/auth.cgi securepayments.cardpointe.com *.cardpointe.com https://3ds-acs.test.modirum.com/ https://www.yokohamatire.com http://uat1-txt.ad.portal.texas.gov https://uat1-txt.ad.portal.texas.gov " After multiple working sessions with the SnapPay team, we were able to confirm that when they disable CSP or remove the frame-ancestors directive, the iFrame loads successfully within our app. However, SnapPay cannot change on their CSP. To enable the iFrame to load in the iOS app, we added the following line of code: webView.configuration.preferences.setValue(true, forKey: "allowFileAccessFromFileURLs"). This resolved the issue with loading the iFrame. Note: the file being loaded is a local .html file,. Before submitting this update to the App Store, I’d like to confirm whether this usage of allowFileAccessFromFileURLs is acceptable for App Store review. I wanted to confirm that with this change is there a security concern for WKWebview?

Hi, I’m working with the SFExtensionProfileKey in my Safari Web Extension. As I understand it, this key is to get the UUID of the profile currently in use. However, it seems to be missing (no key in userInfo) when the default profile is active. Also, I haven’t found any API to get a profile’s human-readable name or list all available profiles. Could someone clarify: If the value of SFExtensionProfileKey is absent, can I safely assume the default profile is in use? Is there a supported way to get a profile’s display name? Does Safari expose an API for getting all profiles? Thanks in advance for your insights!

Hello, I’m working on a cross-origin WebAuthn implementation where a parent page embeds an iframe from a different origin to perform authentication. According to the WebAuthn Level 3 spec (Section 7.1.1), when crossOrigin is true, the clientDataJSON may include topOrigin—but Safari does not seem to populate this field. Observed Behavior: Chrome/Firefox: Include topOrigin in clientDataJSON when crossOrigin: true. Safari (macOS/iOS): Omits topOrigin even though crossOrigin is correctly set to true. Example clientDataJSON from Safari: { "type": "webauthn.get", "challenge": "...", "origin": "https://iframe-origin.example.com", "crossOrigin": true // Missing `topOrigin` (expected: parent origin) } Questions: Is this an intentional omission in Safari for privacy/security reasons? Are there specific requirements (e.g., HTTP headers, permissions policies) needed for Safari to expose topOrigin? Is there a known workaround to reliably obtain the top-level origin in cross-origin WebAuthn flows? System Info: Version 18.4 (20621.1.15.11.10) OS: Sequoia Version 18.4 (20621.1.15.11.10) Reproduction Steps: Parent page (https://parent.example.com) embeds an iframe (https://webauthn-rp.example.com). The iframe calls navigator.credentials.get() with a WebAuthn challenge. Safari returns clientDataJSON with crossOrigin: true but no topOrigin. Code Snippet (iframe): const credential = await navigator.credentials.get({ publicKey: { challenge: new Uint8Array(/* ... */), rpId: 'webauthn-rp.example.com', allowCredentials: [], hints: [], userVerification: "preferred", } }); console.log(JSON.parse(atob(credential.response.clientDataJSON))); Has anyone encountered this? Any insights would be greatly appreciated!

Hello, why is Safari blocking my domains? https://fitgel.ru https://fittoma.ru https://ohota.pro There are no errors in them, other browsers respond normally.

Hello! I have a few questions about integrating an OAuth2 API into my Swift application. I am using this API to access user data from the website (users will authenticate themselves within the app). I have seen other apps use this API in the way that I am describing it so I know that it is possible. However, I am not sure how to implement it. Are there any recommended ways to use an OAuth2 API in my application? The API that I am using does not specifically say that it supports PKCE. However, I have heard from some sources that it does. If it does not support PKCE, how do I still create a secure app infrastructure that will pass App Store Review? At a more basic level, what is the difference between OAuth2 and PKCE? What should I use in my app? Are there any resources to learn a little bit more about these protocols so that I understand them better? Thanks!

It seems fetch() does not include credentials (cookie) even when credentials: include is used and Safari extension has host_permissions for that domain when using from a non-default Safari profile. It includes credentials (cookie) when using from the default profile (which has the default name Personal). Is there anyone who has this problem? I try to request in popup.js like this: const response = await fetch( url, { method: 'GET', mode: 'cors', credentials: 'include', referrerPolicy: 'no-referrer', } ); and it does not include the credentials (cookie) from host_permissions. I already posted https://developer.apple.com/forums/thread/764279, and opened feedback assistant (FB15307169). But it is still not fixed yet. (macOS 15.4 beta 3) I hope this is fixed soon.

Hello Apple App Review Team, We are using Privy to enable sign in with Farcaster in our app. Privy is a 3rd party authentication SDK, and it currently opens the authentication URL using the system browser. Unfortunately, this behavior is handled internally by Privy and we do not have access or control to override it in order to present the sign-in flow in-app using SFSafariViewController. We understand the importance of maintaining a seamless and secure user experience, and we fully support the use of SFSafariViewController or ASWebAuthenticationSession. However, since Privy does not expose an option to change this behavior at the moment, we are limited by their current implementation. We have reached out to the Privy team requesting a change or improvement that would allow us to use SFSafariViewController instead of the external browser. In the meantime, we would appreciate your guidance on how to proceed, or whether an exception could be granted due to this 3rd party SDK limitation. Thank you for your understanding and support.

Environment • Device: any iPhone running iOS 26 Developer Beta 5 (23A5308g) • Xcode: 16.3 Short description The app crashes the moment the user tries to long-press to select text inside a WKWebView, double-tap an image with Text (magnifier appears) The exception is CALayer position contains NaN. frame = (nan,0;0,48) chorPoint=(inf, 0) and it is thrown in the UI process. Build & run any project that hosts a WKWebView. Inject the following CSS via script (this is what we do to suppress the native callout menu): WKWebView *webView = [[WKWebView alloc] initWithFrame:self.view.bounds configuration:[WKWebViewConfiguration new]]; NSString *js = @"document.documentElement.style.webkitUserSelect='none';" "document.documentElement.style.webkitTouchCallout='none';"; [webView evaluateJavaScript:js completionHandler:nil]; [self.view addSubview:webView]; Incident Identifier: EE6FB046-5087-4F15-A72D-A74965347A30 CrashReporter Key: 29e8e58e02a07557adb4ce3f463d764f3ce8bbd5 Hardware Model: iPhone16,1 Process: wallet [642] Path: /private/var/containers/Bundle/Application/4B4E609A-C8BF-4C56-AB2A-1638249B98A5/wallet.app/wallet Identifier: xxxxxxx Version: xxxx AppStoreTools: 16F7 AppVariant: 1:iPhone16,1:18 Code Type: ARM-64 (Native) Role: Foreground Parent Process: launchd [1] Coalition: xxxxxx Date/Time: 2025-08-06 12:05:24.0732 +0800 Launch Time: 2025-08-06 11:49:40.3802 +0800 OS Version: iPhone OS 26.0 (23A5308g) Release Type: Beta Baseband Version: 3.02.02 Report Version: 104 Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: SIGNAL 6 Abort trap: 6 Terminating Process: wallet [642] Triggered by Thread: 0 Application Specific Information: abort() called Thread 0 Crashed: 0 libsystem_kernel.dylib 0x22da0f0cc __pthread_kill + 8 1 libsystem_pthread.dylib 0x1e097b7e8 pthread_kill + 268 2 libsystem_c.dylib 0x191361f1c abort + 124 3 libc++abi.dylib 0x182e7a808 __abort_message + 132 4 libc++abi.dylib 0x182e69484 demangling_terminate_handler() + 304 5 libobjc.A.dylib 0x182d7bf28 _objc_terminate() + 156 6 wallet 0x1068ff8c8 0x1046f4000 + 35698888 7 libc++abi.dylib 0x182e79bdc std::__terminate(void (*)()) + 16 8 libc++abi.dylib 0x182e7d314 __cxxabiv1::failed_throw(__cxxabiv1::__cxa_exception*) + 88 9 libc++abi.dylib 0x182e7d2bc __cxa_throw + 92 10 libobjc.A.dylib 0x182d7992c objc_exception_throw + 448 11 CoreFoundation 0x185e908d4 +[NSException raise:format:] + 128 12 QuartzCore 0x18678a874 CA::Layer::set_position(CA::Vec2<double> const&, bool) + 160 13 QuartzCore 0x1869a7270 -[CALayer setPosition:] + 52 14 UIKitCore 0x18c4ac564 -[UIView _backing_setPosition:] + 176 15 UIKitCore 0x18cefdf0c -[UIView setCenter:] + 220 16 UIKitCore 0x18cd9f794 -[_UIEditMenuContentPresentation _displayPreparedMenu:titleView:reason:didDismissMenu:configuration:] + 936 17 UIKitCore 0x18cd9f3c0 __54-[_UIEditMenuContentPresentation _displayMenu:reason:]_block_invoke + 104 18 UIKitCore 0x18ced1060 -[UIEditMenuInteraction _editMenuPresentation:preparedMenuForDisplay:completion:] + 384 19 UIKitCore 0x18cd9f2e4 -[_UIEditMenuContentPresentation _displayMenu:reason:] + 304 20 UIKitCore 0x18cd9f0d8 -[_UIEditMenuContentPresentation displayMenu:configuration:] + 64 21 UIKitCore 0x18ced0344 __58-[UIEditMenuInteraction presentEditMenuWithConfiguration:]_block_invoke + 260 22 UIKitCore 0x18ced1f8c __80-[UIEditMenuInteraction _prepareMenuAtLocation:configuration:completionHandler:]_block_invoke + 80 23 UIKitCore 0x18cc8403c __109-[UITextContextMenuInteraction _editMenuInteraction:menuForConfiguration:suggestedActions:completionHandler:]_block_invoke + 180 24 UIKitCore 0x18cc84584 __107-[UITextContextMenuInteraction _querySelectionCommandsForConfiguration:suggestedActions:completionHandler:]_block_invoke + 148 25 WebKit 0x1a05ae5d4 WTF::CompletionHandler<void (WebKit::DocumentEditingContext&&)>::operator()(WebKit::DocumentEditingContext&&) + 64 26 WebKit 0x1a05bb468 WTF::Detail::CallableWrapper<WTF::CompletionHandler<void (IPC::Connection*, IPC::Decoder*)> IPC::Connection::makeAsyncReplyCompletionHandler<Messages::WebPage::RequestDocumentEditingContext, WTF::CompletionHandler<void (WebKit::DocumentEditingContext&&)>>(WTF::CompletionHandler<void (WebKit::DocumentEditingContext&&)>&&, WTF::ThreadLikeAssertion)::'lambda'(IPC::Connection*, IPC::Decoder*), void, IPC::Connection*, IPC::Decoder*>::call(IPC::Connection*, IPC::Decoder*) + 196 27 WebKit 0x19fcf5db8 WTF::Detail::CallableWrapper<WebKit::AuxiliaryProcessProxy::sendMessage(WTF::UniqueRef<IPC::Encoder>&&, WTF::OptionSet<IPC::SendOption>, std::__1::optional<IPC::ConnectionAsyncReplyHandler>, WebKit::AuxiliaryProcessProxy::ShouldStartProcessThrottlerActivity)::$_1, void, IPC::Connection*, IPC::Decoder*>::call(IPC::Connection*, IPC::Decoder*) + 64 28 WebKit 0x19fce54f0 IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) + 340 29 WebKit 0x19fcf5aa0 IPC::Connection::dispatchIncomingMessages() + 536 30 JavaScriptCore 0x19a8f85d4 WTF::RunLoop::performWork() + 552 31 JavaScriptCore 0x19a8f838c WTF::RunLoop::performWork(void*) + 36 32 CoreFoundation 0x185da6230 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28 33 CoreFoundation 0x185da61a4 __CFRunLoopDoSource0 + 172 34 CoreFoundation 0x185d83c6c __CFRunLoopDoSources0 + 232 35 CoreFoundation 0x185d598b0 __CFRunLoopRun + 820 36 CoreFoundation 0x185d58c44 _CFRunLoopRunSpecificWithOptions + 532 37 GraphicsServices 0x224ce0498 GSEventRunModal + 120 38 UIKitCore 0x18b6c84b8 -[UIApplication _run] + 792 39 UIKitCore 0x18b66cbc0 UIApplicationMain + 336 40 wallet 0x1046f8558 0x1046f4000 + 17752 41 dyld 0x182dcdb18 start + 6332

Hi! I'm working on a web extension for Safari and I need to send messages from the containing application to JavaScript. For this I use the method class func dispatchMessage( withName messageName: String, toExtensionWithIdentifier identifier: String, userInfo: [String : Any]? = nil ) async throws of the SFSafariApplication class. If the site is opened in Safari in normal mode, everything works as expected. However, if the site is "docked", the messages are not transmitted to this "Web App".

Since the transition to iOS 18.4, we have been having an issue where when loading an m3u8 file specified in the src attribute of a video tag in WKWebView, the ts file is loaded repeatedly. Are there any good ideas for this? Also, if there have been any changes to the specifications of WKWebView, we would appreciate it if you could let us know.

How can I make a background image take the entire screen in ios26? I've tried position fixed, sticky, env() css variables but nothing worked. It does it when in PWA mode, but I would like to do so in the browser too.

Hey team, I've integrated custom WkWebsiteDatastore to manage profiling for different sessions. upon testing the WkWebsiteDataStore as its mentioned to be persistent But The storage can be accessed via identifier, But the session data in storage is absent, such as cookies caches all are cleared when app is relaunched is it the default behavior to be expected or there is some property missing causing the session data to be removed from storage.

I have an iOS app that generates and renders a custom HTML document inside a UIWebView. After updating a device to iOS 26, the same HTML is rendered with noticeably smaller fonts compared to previous iOS versions. No code or HTML changes were made. Context HTML is generated dynamically and rendered in a UIWebView The HTML is embedded inside a custom XML wrapper The issue happens only on iOS 26 Earlier iOS versions render the font size correctly

Cross posting from Spatial Computing, apologies if this is not the appropriate forum. The purpose is to create a simple web-based gallery of spatial photos and videos using static html files. I have successfully displayed spatial photos using the img tag and IMG.heic files. I can tap and hold the image to bring up the contextual menu and from there select View Spatial Photo. Is there any way to add a control to the image, like a link or overlay on the image itself, that a user can simply tap to show the image in 3D? And how to host a (small!) video file on a web page without going through a CDN/streaming service? Sample html would be much appreciated.

My Mac app and its Safari web extension share an app group, and I want to notify the web extension native process when the app makes a change to the app group NSUserDefaults, but I can't find a good way to do this. According to the documentation, "You can use key-value observing to register observers for specific keys of interest in order to be notified of all updates, regardless of whether changes are made within or outside the current process." In my testing, however, this doesn't work in the web extension process. I'm using NSUserDefaults addObserver forKeyPath, but observeValueForKeyPath never gets called. I've also tried NSDistributedNotificationCenter, but the web extension process doesn't receive the notifications sent by the main app. Are either of these supposed to work? If not, are there any alternatives?

iOS18的app中加载了自己开发的H5页面，H5页面有个input输入框，每次输入框聚焦的时候，都会弹出键盘滑行键入的提示：“滑动手指将字母拼成词以快速键入”，应该怎么修改，达到不每次都弹出这个提示呢

Create shortcut to open chrome with url and put it on the desktop. Tap the shortcut. Tap the username text field. When launching Safari from an iOS shortcut on an iOS device with a valid passkey registered, the passkey suggestion does not appear; instead, the password suggestion appears sometimes.

"We have a multi-tenant EdTech platform serving over 1500 clients, each with a unique domain (e.g., client1.eduapp.com). We use WKWebView in a native shell. Due to WKAppBoundDomains restriction, we can't dynamically list all domains. How can we support dynamic tenants while maintaining cookie persistence" "Can Apple suggest a best practice or alternative approach for apps using WebView/PWA shell architecture across multiple client domains?" Problem: We cannot predefine all 1500 domains in WKAppBoundDomains due to limitations. As a result: Service workers fail to register, breaking PWA functionality Ex: Offline.