Hello - we have a Mac application that uses a browser extension and the web extension JS APIs to communicate with Safari. During user testing we found that the tab title and tab URL properties are empty when obtaining the set of open windows via windows.get() after a Safari restart. We are testing with Safari 18.4 (20621.1.15.11.10). We have made a TestFlight version of our app and extension available to help with testing: https://testflight.apple.com/join/Va8Zdv9d. Screenshot and screen recording are attached to the Feedback ID supplied below. STEPS TO REPRODUCE Install Tabby via the TestFlight link Enable the Tabby for Safari extension in the Safari extensions dialog Grant permissions for Tabby for Safari to all windows all the time Within Safari, open two windows each with at least two tabs Within the Tabby app, ensure you see the windows and tabs listed correctly (tab title displayed for each) Quit and restart Safari Expected behavior Safari re-opens existing windows and Tabby displays title for each tab Observed Safari re-opens existing windows but within Tabby all tabs except the current tab are displayed with a title of “Start Page”. Under the hood the tab title and tab URL properties are empty when returned via a windows.get() call after Safari restarts. NAME AND APPLE ID OF APP Tabby - Browser Tab Manager 1586203406 FEEDBACK ASSISTANT ID FB16389506

I am reporting what appears to be a serious integrity flaw in Safari under iPadOS 26.3 (and lower) that materially undermines the reliability of Screen Time parental controls. This is not merely a UX inconsistency but a functional contradiction within a system explicitly marketed and positioned as secure parental control infrastructure. Device / Environment Device: iPad Air M3 13" (2025) OS: iPadOS 26.3 Safari (system version) Screen Time enabled with active restrictions Child account (10 years old) Background We deliberately chose an Apple device for school use based on the expectation that Apple’s system-level parental control mechanisms — especially Screen Time — are robust, tamper-resistant, and technically consistent. Screen Time is configured with: App limits Downtime Parental controls enabled with limited web content restrictions (school requirements prevent strict blocking) Safari enabled (mandatory for educational use) further parental control restrictions Because aggressive website blocking would interfere with legitimate school activities, monitoring Safari browsing history is a central supervisory mechanism. When Screen Time is active: Clearing the entire browsing history via Safari is correctly blocked. Clearing history via system settings is correctly blocked. The system explicitly communicates that deletion is not permitted due to Screen Time restrictions. This behavior establishes a clear user expectation: Browsing history is protected against manipulation. The Issue Despite the above safeguards, individual browsing history entries can be deleted easily and silently through the address bar suggestion interface. This creates a structural contradiction: Full deletion is blocked. Selective deletion — which is arguably more problematic — remains possible. Steps to Reproduce Enable Screen Time with restrictions that prevent deletion of browsing history (for example on a student device with a child account). Open Safari and visit any website. Confirm it appears in Safari history. Tap the Safari address bar. Type part of the URL or page title. Safari suggests the previously visited page below the address bar. Swipe left on that suggestion. A red “Delete from History” button appears. Tap it. Actual Result The entry disappears immediately: No Screen Time PIN required No authentication request No warning No restriction triggered No parental notification No audit trace visible Deletion occurs silently and irreversibly. Expected Result When Screen Time is configured to prevent browsing history deletion: Individual entries must not be deletable Deletion must require Screen Time authentication Anything else defeats the protective purpose of the restriction. Real-World Impact In practical use, this allows minors to selectively sanitize browsing history while preserving a seemingly intact record. In our case, this method is widely known among classmates and routinely used to conceal visits to gaming or social media platforms during school hours. The technical barrier to exploitation is negligible. This results in: A false sense of security for parents A discrepancy between advertised functionality and actual system behavior A material weakening of parental control integrity When a system explicitly blocks full history deletion but permits silent selective deletion, the protection mechanism becomes functionally inconsistent and unreliable. Given that Screen Time is publicly positioned as a dependable parental control framework, this issue raises concerns not only about implementation quality but also about user trust and reasonable reliance on advertised safeguards. Request Please classify this as a parental control integrity and trust issue. Specifically: Disable individual history deletion while Screen Time restrictions are active OR Require Screen Time passcode authentication for deleting single entries Screen Time is presented as a secure supervisory environment for minors. In its current implementation under iPadOS 26.3 and before, that expectation is technically not met. This issue warrants prioritization.

Hello everyone, I'm working on an app that uses WKWebView. My app uses a custom menu and we disable the default menu by overriding with: WKWebAction.canPerformAction() However, with the new iOS 18.2 release, I am no longer able to override the "Copy Link with Highlight" option that pops up when highlighting a selection as can be seen from the screenshot: Has anyone found a work around/bypass for this? Environment iOS Version: iOS 18.2 Device: iPhone 13 Pro App platform: iOS Xcode version: 16.1 MacOS: 14.5

Environment • Device: iOS 26 Developer Beta 5 (23A5308g) • Xcode: 16.3 Short description The app crashes the moment the user tries to long-press to select text inside a WKWebView, double-tap an image with Text (magnifier appears) The exception is CALayer position contains NaN. frame = (nan,0;0,48) chorPoint=(inf, 0) and it is thrown in the UI process. Build & run any project that hosts a WKWebView. Inject the following CSS via script (this is what we do to suppress the native callout menu): WKWebView *webView = [[WKWebView alloc] initWithFrame:self.view.bounds configuration:[WKWebViewConfiguration new]]; NSString *js = @"document.documentElement.style.webkitUserSelect='none';" "document.documentElement.style.webkitTouchCallout='none';"; [webView evaluateJavaScript:js completionHandler:nil]; [self.view addSubview:webView]; Incident Identifier: EE6FB046-5087-4F15-A72D-A74965347A30 CrashReporter Key: 29e8e58e02a07557adb4ce3f463d764f3ce8bbd5 Hardware Model: iPhone16,1 Process: wallet [642] Path: /private/var/containers/Bundle/Application/4B4E609A-C8BF-4C56-AB2A-1638249B98A5/wallet.app/wallet Identifier: xxxx Version: xxxx AppStoreTools: 16F7 AppVariant: 1:iPhone16,1:18 Code Type: ARM-64 (Native) Role: Foreground Parent Process: launchd [1] Coalition: xxxxx Date/Time: 2025-08-06 12:05:24.0732 +0800 Launch Time: 2025-08-06 11:49:40.3802 +0800 OS Version: iPhone OS 26.0 (23A5308g) Release Type: Beta Baseband Version: 3.02.02 Report Version: 104 Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: SIGNAL 6 Abort trap: 6 Terminating Process: wallet [642] Triggered by Thread: 0 Application Specific Information: abort() called Last Exception Backtrace: 0 CoreFoundation 0x185e058c8 __exceptionPreprocess + 164 1 libobjc.A.dylib 0x182d797c4 objc_exception_throw + 88 2 CoreFoundation 0x185e908d4 -[NSException initWithCoder:] + 0 3 QuartzCore 0x18678a874 CA::Layer::set_position(CA::Vec2<double> const&, bool) + 160 4 QuartzCore 0x1869a7270 -[CALayer setPosition:] + 52 5 UIKitCore 0x18c4ac564 -[UIView _backing_setPosition:] + 176 6 UIKitCore 0x18cefdf0c -[UIView setCenter:] + 220 7 UIKitCore 0x18cd9f794 -[_UIEditMenuContentPresentation _displayPreparedMenu:titleView:reason:didDismissMenu:configuration:] + 936 8 UIKitCore 0x18cd9f3c0 __54-[_UIEditMenuContentPresentation _displayMenu:reason:]_block_invoke + 104 9 UIKitCore 0x18ced1060 -[UIEditMenuInteraction _editMenuPresentation:preparedMenuForDisplay:completion:] + 384 10 UIKitCore 0x18cd9f2e4 -[_UIEditMenuContentPresentation _displayMenu:reason:] + 304 11 UIKitCore 0x18cd9f0d8 -[_UIEditMenuContentPresentation displayMenu:configuration:] + 64 12 UIKitCore 0x18ced0344 __58-[UIEditMenuInteraction presentEditMenuWithConfiguration:]_block_invoke + 260 13 UIKitCore 0x18ced1f8c __80-[UIEditMenuInteraction _prepareMenuAtLocation:configuration:completionHandler:]_block_invoke + 80 14 UIKitCore 0x18cc8403c __109-[UITextContextMenuInteraction _editMenuInteraction:menuForConfiguration:suggestedActions:completionHandler:]_block_invoke + 180 15 UIKitCore 0x18cc84584 __107-[UITextContextMenuInteraction _querySelectionCommandsForConfiguration:suggestedActions:completionHandler:]_block_invoke + 148 16 WebKit 0x1a05ae5d4 WTF::CompletionHandler<void (WebKit::DocumentEditingContext&&)>::operator()(WebKit::DocumentEditingContext&&) + 64 17 WebKit 0x1a05bb468 WTF::Detail::CallableWrapper<WTF::CompletionHandler<void (IPC::Connection*, IPC::Decoder*)> IPC::Connection::makeAsyncReplyCompletionHandler<Messages::WebPage::RequestDocumentEditingContext, WTF::CompletionHandler<void (WebKit::DocumentEditingContext&&)>>(WTF::CompletionHandler<void (WebKit::DocumentEditingContext&&)>&&, WTF::ThreadLikeAssertion)::'lambda'(IPC::Connection*, IPC::Decoder*), void, IPC::Connection*, IPC::Decoder*>::call(IPC::Connection*, IPC::Decoder*) + 196 18 WebKit 0x19fcf5db8 WTF::Detail::CallableWrapper<WebKit::AuxiliaryProcessProxy::sendMessage(WTF::UniqueRef<IPC::Encoder>&&, WTF::OptionSet<IPC::SendOption>, std::__1::optional<IPC::ConnectionAsyncReplyHandler>, WebKit::AuxiliaryProcessProxy::ShouldStartProcessThrottlerActivity)::$_1, void, IPC::Connection*, IPC::Decoder*>::call(IPC::Connection*, IPC::Decoder*) + 64 19 WebKit 0x19fce54f0 IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) + 340 20 WebKit 0x19fcf5aa0 IPC::Connection::dispatchIncomingMessages() + 536 21 JavaScriptCore 0x19a8f85d4 WTF::RunLoop::performWork() + 552 22 JavaScriptCore 0x19a8f838c WTF::RunLoop::performWork(void*) + 36 23 CoreFoundation 0x185da6230 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28 24 CoreFoundation 0x185da61a4 __CFRunLoopDoSource0 + 172 25 CoreFoundation 0x185d83c6c __CFRunLoopDoSources0 + 232 26 CoreFoundation 0x185d598b0 __CFRunLoopRun + 820 27 CoreFoundation 0x185d58c44 _CFRunLoopRunSpecificWithOptions + 532 28 GraphicsServices 0x224ce0498 GSEventRunModal + 120 29 UIKitCore 0x18b6c84b8 -[UIApplication _run] + 792 30 UIKitCore 0x18b66cbc0 UIApplicationMain + 336 31 wallet 0x1046f8558 0x1046f4000 + 17752 32 dyld 0x182dcdb18 start + 6332

We are experiencing an issue after Xcode 26.0 to load local javascript files to WKWebView to render our own design. it used to work well, however after Xcode 26.0, when [self.webView loadFileURL:fileURL allowingReadAccessToURL:accessURL]; it returns [PID=1514] WebProcessProxy::hasAssumedReadAccessToURL(3198190): no access self.webRootPath = [[NSHomeDirectory() stringByAppendingPathComponent:@"Documents"] stringByAppendingPathComponent:CHAT_VIEW_WEB_ROOT]; NSFileManager *fileManager = [NSFileManager defaultManager]; NSError *error = nil; if (! [fileManager fileExistsAtPath:self.webRootPath]){ [fileManager createDirectoryAtPath:self.webRootPath withIntermediateDirectories:NO attributes:nil error:&error]; } NSURL *accessURL = [NSURL fileURLWithPath:self.webRootPath]; Not sure how to assign access permission to WKWebView. Any help much appreciated.

I am trying to setup web sign in with apple, I have an active apple subscription and have set up all necessary things. I made a service id in apple Identifiers, connected to existing primary id (also has apple sign in enabled). I have my domain set up also correctly but still I cant generate the code due to invalid client. What do I need to do? I have also tried recreating the service ids multiple times with no luck. my init is AppleID.auth.init({ clientId : '[CLIENT_ID]',//used the service id one not app id redirectURI : '[REDIRECT_URI]', usePopup : true }); link to generate codes now is: https://appleid.apple.com/auth/authorize?client_id=com.crmtournest.sigin&redirect_uri=https%3A%2F%2Fwww.tournestcrm.com%2Fauth%2Fcallback&response_type=code%20id_token&state=saciy7rn1km&scope=name%20email&response_mode=web_message&frame_id=03487c22-abb4-48cd-8613-d6bf5836e9eb&m=11&v=1.5.5 Also tried: https://appleid.apple.com/auth/authorize?client_id=com.crmtournest.sigin&redirect_uri=https%3A%2F%2Fwww.tournestcrm.com%2Fauth%2Fcallback&response_type=code%20id_token (not working) I get invalid_client setup on apple below:

The passkey authentication dialog appears, and after unlocking with Touch ID, the dialog closes without any notification of success or failure. This issue occurs with high frequency. access to the https://passkeys-demo.appspot.com/ register account and create passkey. logoff access to the url again you can see the passkey dialog unlock device then the dialog disappears nothing happens reload the page proceed 5) to 6) nothing happens or success webauthn.

I'm working on a web browser App that's distributed via the App Store. This app renders web pages using WKWebView. Our users are requesting a way for us to allow them to play videos in Picture in Picture. After some investigation, we noticed that in order to allow PiP videos in our browser in the sandboxed environment, we need to add the com.apple.PIPAgent entitlement under the com.apple.security.temporary-exception.mach-lookup.global-name option. We tried to submit our app with this entitlement, but unfortunately, we were rejected: Guideline 2.4.50) - Performance We've determined that one or more temporary entitlement exceptions requested for this app are not appropriate and will not be granted: com.apple.security.temporary-exception.mach-lookup.global-name com.apple.P|PAgent We would like to have access to this entitlement so we can offer PiP to our users. We already created a radar about this as well: FB13814428 Additionally, we have another radar (FB13557716) regarding allowing the usage of a private flag _allowsPictureInPictureMediaPlayback, which would also be required to enable us to use PiP. Is there any way in which we can currently enable PiP? Would opening a TSI help here?

Trying to implement my own forward/back buttons for the new SwiftUI WebView and reading the documentation I’m totally lost. What’s the recommended way of implementing forward/back behavior with this component?

The crash is specific to iOS 26.2 WKScriptMessageHandler delegate func userContentController(_ userContentController: WKUserContentController, didReceive message: WKScriptMessage) Name attribute is accessible but WKScriptMessage body attribute causes crash The object seems to be not accessible

使用direct distribution进行分发时，safari web extension 在safari setting 中显示没有权限读取、修改或传输任何网页的内容。 但是我在看公证日志显示插件是正常的公证的 这导致safari extension 无法使用。 公证日志 https://www.coupert.com/img/2025-04-10/notarization-log.json

Starting with iOS 26.2, when Safari tabs are set to Bottom or Compact view, some pages are not rendering properly. The error does not occur in Top view. For some pages, scrolling causes rendering to be very slow, causing the user to experience page breaks and missing parts. If the user waits a few seconds, the missing parts of the page will appear, but the issue will reoccur when scrolling further. We have tested this on all available iOS devices and the issue occurs on all iPhones running iOS 26.2. The issue does not occur on iOS 26.1, and we have not experienced it on devices running iOS 18. The issue can be reproduced on the following pages with an iPhone running iOS 26.2: https://fotosakademia.hu/products/course/fotografia-kozephaladoknak-haladoknak https://oktatas.kurzusguru.hu/products/course/az-online-kurzuskeszites-alapjai

Hi Apple engineers! We are making an iOS browser and are planing to deliver a feature that allows enterprise customers to use a MAM key to set a PAC file for proxy. It's designed to support unmanaged device so the MDM based solutions like 'Global HTTP Proxy MDM payload' or 'Per-App VPN' simply don't work. After doing some research we found that with WKWebView, the only framework allowed on iOS for web browsing, there's no API for programmatically setting proxy. The closes API is the WKURLSchemeHandler, but it's for data management not network request interception, in other word it can not be used to handle HTTP/HTTPS request well. When we go from the web-view level to the app level, it seems there's no API to let an app set proxy for itself at an app-level, the closest API is Per-App VPN but as mentioned above, Per-App VPN is only available for managed device so we can't use that as well. Eventually we go to the system level, and try to use Network Extension, but there's still obstacles. It seems Network Extension doesn't directly provide a way to write system proxy. In order to archive that, we may have to use Packet Tunnel Provider in destination IP mode and create a local VPN server to loop back the network traffic and do the proxy stuff in that server. In other word, the custom VPN protocol is 'forward directly without encryption'. This approach looks viable as we see some of the network analysis tools use this approach, but still I'd like to ask is this against App Store Review Guidelines? If the above approach with Network Extension is not against App Store Review Guidelines, I have a further question that, what is the NEProxySettings of NETunnelNetworkSettings for? Is it the proxy which proxies the VPN traffic (in order to hide source IP from VPN provider) or it is the proxy to use after network traffic goes into the virtual private network? If none of the above is considered recommended, what is the recommended way to programmatically set proxy on WKWebView on an unmanaged device (regardless of where the proxy runs, web-view/app/system)?

I’m experiencing a crash in WKWebView on iOS 26 Developer Beta 5 and Beta 6 with the following exception: CALayer position contains NaN: [nan 65] The crash occurs when the following CSS properties are applied to content displayed in WKWebView: -webkit-user-select: none; -webkit-touch-callout: none; This issue happens consistently whenever these styles are set, leading to the crash inside WKWebView. Is this a known bug in the current iOS 26 betas, or is there a recommended workaround?

I'm a web developer of WebRTC based web app for video and audio calls. After updating to iOS 26.1 beta I noticed, that my app can't use microphone anymore. When I'm calling to getUserMedia with audio set to true, Safari returns error "No AVAudioSessionCaptureDevice device". Other WebRTC demo apps also can't access microphone on this firmware. And maybe it's connected somehow, but safari can't detect connected AirPods Pro 2 as an input device. So, this bug brakes any WebRTC app, that uses microphones.

Since iOS 18.1 launched as a beta, we've been getting reports from end users on iPhone 15 Pro and iPhone 15 Pro Max specifically. They're reporting that our WebView is unable to load our local HTML content. I'm curious if anyone else has had their app or users run into this issue? So far I've tried installing the most recent XCode Beta 16B5014f and installed an 18.1 emulator, but our app worked fine. It's also working fine on all my real devices, but we don't have a 15 Pro to test on. I'm curious if this is related to the processor on these devices and how they are intended to support Apple's new AI coming in 18.1.

iPadOS 26, dark mode Open Safari Search for anything or open a website that has white background Kill Safari Open Safari again I still can reproduce it with Safari on iPadOS 26.0.1 This issue also happens to my app when opening a HTML/JS on WKWebView with white background while using dark mode. I did send a feedback ticket when using iPadOS 26 beta but havent seen any reply. This is my first time sending a feedback so I dont know if Apple would reply or not.

Is this code invalid on a phone running xcode16 iOS18? Class cls = NSClassFromString(@"WKBrowsingContextController"); SEL sel = NSSelectorFromString(@"registerSchemeForCustomProtocol:"); if ([(id)cls respondsToSelector:sel]) { [(id)cls performSelector:sel withObject:@"http"]; [(id)cls performSelector:sel withObject:@"https"]; } }

Hi, I have an app that uses WKWebView and it's crashing on iOS 26 Simulator in places I've never had problems before. In this case it's crashing when calling WKWebView.callAsyncJavaScript, but in my other project WKWebView is crashing with some sort of EXC_BAD_ACCESS other than callAsyncJavaScript. Am I missing something? Thanks,

I'm using the new iOS 26 WebPage/WebView for SwiftUI in a NavigationStack. The initial load works as expected, but when loading items from the back/forward lists, the content jumps beneath the navigation bar: struct WebPageTestView: View { var webPage = WebPage() var body: some View { NavigationStack { WebView(webPage) .toolbar { Button("Back") { if let backItem = webPage.backForwardList.backList.last { webPage.load(backItem) } } Button("Forward") { if let forwardItem = webPage.backForwardList.forwardList.first { webPage.load(forwardItem) } } } } .task { webPage.isInspectable = true webPage.load(URL(string: "https://domchristie.co.uk/")) } } } I have run this on the iOS 26.0 and 26.1 Simulators and get the same issue. The demo website does not use any JavaScript. I was able to replicate this behaviour using a wrapped WKWebView and calling the .ignoresSafeArea(.all) modifier.