Safari continues to display a "Fraudulent Website Warning" for openvan.camp despite the domain being clean across all major security databases for over a week. Chrome, Firefox, and all other browsers open the site without any warnings. Domain: openvan.camp Warning appeared: March 18, 2026 Warning type: Fraudulent Website Warning (red screen) Current security database status: Google Safe Browsing: ✅ Clean (transparencyreport.google.com) Google Search Console: ✅ No security issues Spamhaus DBL: ✅ Removed from blocklist Fortinet FortiGuard: ✅ Category "Travel" VirusTotal: ✅ 0/65 vendors URLVoid: ✅ 0/35 engines Steps taken: Removed the third-party ad network (Adsterra) that caused the original flag — March 18, 2026 Migrated hosting to Scaleway (AS12876, France), IP: 151.115.84.228 Configured SPF, DKIM, DMARC records Created functional abuse@ and postmaster@ role accounts Submitted review via websitereview.apple.com — no response after 5 days What we believe is happening: Apple's Safe Browsing database appears to have an independent entry for this domain that has not been updated despite all underlying security databases clearing the flag. Safari's warning persists even after deleting ~/Library/Safari/SafeBrowsing/ cache and re-downloading the database — which confirms this is not a local cache issue. Steps to reproduce: Open Safari on macOS or iOS Navigate to https://openvan.camp/ Safari displays "Fraudulent Website Warning" Open the same URL in Chrome — no warning Expected behavior: No warning should be shown. The domain is legitimate, clean, and verified. Has anyone experienced a similar issue? Is there any additional channel to escalate beyond websitereview.apple.com?

On macOS 26, when a passkey sign-in flow is started in Safari or another WebKit-based browser (for example, DuckDuckGo browser), smart cards become inaccessible as soon as the password manager selection UI is shown, but only if the website offers “Security Key” as one of the passkey storage/authentication options. At that moment, it appears the system starts polling connected smart cards and does not properly release the transaction/session. As a result, other applications and libraries can no longer communicate with the smart card until the passkey UI is dismissed, and in practice the card may remain unavailable until the passkey sign-in flow is fully completed. This does not happen in Chrome. This does not happen if the website does not offer the “Security Key” option. This does not happen during passkey registration; the issue affects sign-in only. From our investigation, Safari/WebKit appears to open communication with connected smart cards and keep the transaction/session active. Because of that: • our own smart card code blocks while waiting for a PC/SC transaction to begin; • the system pcsctest utility also hangs and does not continue until the passkey selection UI is closed; • a minimal sample using TKSmartCard also blocks on beginSession(). This suggests the smart card is locked not only at the PC/SC level, but also at the CryptoTokenKit level. This issue is critical for us. We are developing a password manager that supports storing keys on a smart card, and due to this behavior we cannot access our card while Safari/WebKit is showing the passkey flow. Is there any way to stop safari from accessing smartcards? Any terminal commands/settings/workarounds?

com.apple.WebKit.WebContent process is being killed by the kernel’s memorystatus jetsam mechanism when it exceeds the ActiveHard 2048 MB limit, even though the iPhone has 12 GB physical RAM and hundreds of thousands of free pages available. This causes the exact same WebProcess → GPUProcess crash that was reported in thread 822200, but now the root cause is clearly visible in the kernel log. The crash only occurs on iPhones, never on iPads (even older ones). Environment Failing devices: iPhone 17 Pro (12 GB RAM) x 2 — iOS 26.3, 26.4, 26.4.1 Working devices (same page, same iOS): iPad Pro 2018 — iOS 26.1 (stable) iPad Pro 2025 — iOS 26.4 (completely stable) Reproduces in Safari and in WKWebView (Capacitor/Ionic app) Actual Logs (kernel + WebKit) `logApr 15 21:23:33 iPhone kernel[0] : memorystatus: com.apple.WebKit.WebContent [1596] exceeded mem limit: ActiveHard 2048 MB (fatal) Apr 15 21:23:33 iPhone kernel[0] : memorystatus: killing process 1596 [com.apple.WebKit.WebContent] in high band FOREGROUND (100) - memorystatus_available_pages: 196999 0x1110ec640 - [PID=4689] WebProcessProxy::didClose: (web process 0 crash) 0x1110ec640 - [PID=4689] WebProcessProxy::processDidTerminateOrFailedToLaunch: reason=Crash 0x117048018 - [pageProxyID=7, webPageID=8, PID=4689] WebPageProxy::processDidTerminate: (pid 4689), reason=Crash 0x1130e8640 - [PID=0] WebProcessProxy::gpuProcessExited: reason=IdleExit ... (multiple RBSRequestErrorDomain Code=4 "Target process has a higher termination resistance..." errors)` Expected Behavior With 12 GB RAM and ~197k free pages, the WebContent process should not be killed at only 2 GB. The same heavy animation page runs stably on iPad (which apparently has a higher ActiveHard limit for WebKit). Additional Notes This is not a leak in the web page itself — the crash happens even when total system memory is plentiful. The 2048 MB ActiveHard limit appears to be applied specifically to iPhone device class, while iPad gets a more generous budget. The issue has existed since at least iOS 26.3 and affects both Safari and embedded WKWebView. This seems like an overly aggressive jetsam policy for WebKit on iPhone compared to the available hardware. Could the WebContent process’s memory limit be increased for modern iPhones (12 GB+ models)? Increased Memory Limit not worked for com.apple.WebKit.WebContent. I can only add this to my app. Thank you!

I'm experiencing a native crash on iOS 26+ with WebKit with title: EXC_BAD_ACCESS (KERN_INVALID_ADDRESS). The stack trace points to UIKit/WebKit animation and context menu handling, and the crash occurs while a WebView is presented or dismissed. Crashed: com.apple.main-thread 0 WebKit 0x7bcfac <redacted> + 12 1 WebKit 0xaf5c34 <redacted> + 84 2 UIKitCore 0x34ebdc -[_UIContextMenuAnimator performAllCompletions] + 248 3 UIKitCore 0x7f997c block_destroy_helper.72 + 1840 4 UIKitCore 0x7fb4b4 objectdestroy.36Tm + 88 5 UIKitCore 0x7ad354 objectdestroy.3Tm + 30500 6 UIKitCore 0x5c0e5c __swift_memcpy192_8 + 4352 7 UIKitCore 0x21944 block_copy_helper.374 + 40 8 UIKitCore 0x1dc174 -[_UIGroupCompletion _performAllCompletions] + 160 9 UIKitCore 0x35d0c4 -[_UIGravityWellEffectBody .cxx_destruct] + 180 10 UIKitCore 0x215018 -[UIScrollView _contentLayoutGuideIfExists] + 72 11 UIKitCore 0x943e4 NSStringFromUIEdgeInsets + 304 12 UIKitCore 0x94348 NSStringFromUIEdgeInsets + 148 13 UIKitCore 0x8f598 __UIVIEW_IS_EXECUTING_ANIMATION_COMPLETION_BLOCK__ + 36 14 UIKitCore 0x1995d8c -[UIViewAnimationBlockDelegate _sendDeferredCompletion:] + 92 15 libdispatch.dylib 0x1adc _dispatch_call_block_and_release + 32 16 libdispatch.dylib 0x1b7fc _dispatch_client_callout + 16 17 libdispatch.dylib 0x38b10 _dispatch_main_queue_drain.cold.5 + 812 18 libdispatch.dylib 0x10ec8 _dispatch_main_queue_drain + 180 19 libdispatch.dylib 0x10e04 _dispatch_main_queue_callback_4CF + 44 20 CoreFoundation 0x6a2b4 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 16 21 CoreFoundation 0x1db3c __CFRunLoopRun + 1944 22 CoreFoundation 0x1ca6c _CFRunLoopRunSpecificWithOptions + 532 23 GraphicsServices 0x1498 GSEventRunModal + 120 24 UIKitCore 0x9ddf8 -[UIApplication _run] + 792 25 UIKitCore 0x46e54 UIApplicationMain + 336 26 - 0xedf88 main + 24 (AppDelegate.swift:24) 27 ??? 0x196686e28 (Missing)

Summary Our app’s WKWebView triggers a WebContent / GPU process crash on iPhone 15 running iOS 26.4. The same flow works on iPad running iOS 26.4. Environment Failing: iPhone 15, iOS 26.4 Working: iPad, iOS 26.4 Web stack: WKWebView / WebKit (Safari & Web) What we see The WKWebView web process terminates; logs show WebProcess and GPU process exits, followed by RBS assertion failures and (in one WebContent process) repeated containermanagerd XPC invalidation. Expected Web content loads and remains stable like on iPad 26.4. Actual Web process crashes; page goes blank or WebView recovers only after reload. Logs 0x10715d518 - [pageProxyID=14, webPageID=15, PID=3629] WebPageProxy::dispatchProcessDidTerminate: reason=Crash\ 0x10715ce18 - [pageProxyID=22, webPageID=23, PID=3629] WebPageProxy::dispatchProcessDidTerminate: reason=Crash\ 0x1480f01e0 - GPUProcessProxy::didClose:\ 0x1480f01e0 - GPUProcessProxy::gpuProcessExited: reason=Crash\ 0x14808c640 - [PID=3633] WebProcessProxy::gpuProcessExited: reason=Crash\ 0x14808cb80 - [PID=3634] WebProcessProxy::gpuProcessExited: reason=Crash\ WebContent[3633] 0x10d07ebc0 - GPUProcessConnection::didClose\ Error acquiring assertion: <Error Domain=RBSAssertionErrorDomain Code=2 "Specified target process 3630 does not exist" UserInfo=\{NSLocalizedFailureReason=Specified target process 3630 does not exist\}>\ 0x148128600 - ProcessAssertion::acquireSync Failed to acquire RBS assertion 'XPCConnectionTerminationWatchdog' for process with PID=3630, error: (null)\ WebContent[3634] XPC connection to containermanagerd invalidated. Retry attempt 1 of 6\ WebContent[3634] XPC connection to containermanagerd invalidated. Retry attempt 2 of 6\ WebContent[3634] XPC connection to containermanagerd invalidated. Retry attempt 3 of 6\ WebContent[3634] XPC connection to containermanagerd invalidated. Retry attempt 4 of 6\ WebContent[3634] XPC connection to containermanagerd invalidated. Retry attempt 5 of 6\ WebContent[3634] XPC connection to containermanagerd invalidated. Retry attempt 6 of 6\ WebContent[3634] _container_query_get_result_at_index: error = 2\uc0\u8594 (51) XPC_INVALID_REPLY;\ WebContent[3634] container_system_group_path_for_identifier: error = ((container_error_t)51) XPC_INVALID_REPLY\ WebContent[3634] 0x11107ebc0 - GPUProcessConnection::didClose\

Fatal Exception: NSInternalInconsistencyException Cannot remove an observer <WKWebView 0x135137800> for the key path "configuration.enforcesChildRestrictions" from <STScreenTimeConfigurationObserver 0x13c6d7460>, most likely because the value for the key "configuration" has changed without an appropriate KVO notification being sent. Check the KVO-compliance of the STScreenTimeConfigurationObserver [class.] I noticed that on iOS 26, WKWebView registers STScreenTimeConfigurationObserver, Is this an iOS 26 system issue? What should I do?

Reproduction Steps:a. Create a WKWebView instance and set a custom string to customUserAgent.b. Load any web page (e.g., https://example.com).c. Check the User-Agent field in the request headers via packet capture tools or Web Inspector. Expected Result:The custom User-Agent should be appended to the default system identifier (Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15...), instead of being completely overwritten. Actual Result:The User-Agent is fully replaced with: NetworkingExtension/8624.1.16.10.6 Network/5812.102.3 iOS/26.4, and all basic system identifiers are missing. Additional Information: Device: iPhone 16 Pro Max iOS Version: 26.4 (Build 20T5127) WKWebView setup: Directly set using the customUserAgent property Network Extension features are not used in the project, but the NetworkingExtension identifier still appears in the User-Agent

Under iOS 26 or macOS 26 I experience some issues when trying to delete certain cookies via WKWebsiteDataStore.httpCookieStore.deleteCookie(). Most cookies can be deleted just fine, but a few simply can not be deleted anymore. Calling the deleteCookie() function with a valid cookie (retrieved via getAllCookies()) does nothing. This is not an issue under iOS 18.x or macOS 15.x or older. Looking at the exact cookie data does not show anything special which would explain why certain cookies can't be deleted anymore. It is still possible to delete cookies via WKWebsiteDataStore.removeData(ofTypes:, for:), but of course then much more data is deleted, not just individual cookies. So this is not a solution, because it is important to be able to delete individual cookies. Does anyone has a workaround or solution for this macOS/iOS bug?

In iOS 26.4 beta, I noticed that when loading pages using WKWebView and using WebSocket to establish IP type addresses, the connection duration was several seconds and sometimes even failed to connect (normally, the connection duration should be in milliseconds). However, when establishing WebSocket connections using domain names, the connections were normal. Additionally, I discovered a special scenario: When directly establishing WebSocket connections using IP type addresses, it remained in the "connect" state. At the same time, based on Wireshark packet capture, it was found that no TCP connection was sent at this time. However, if two connections with the same address were established simultaneously, those two connections could successfully connect. This bug has seriously affected the use of my application service. Is there a chance that this version will solve the problem?

Observed versions: Reproduced on Tahoe / Safari 26 and iOS 26 Safari. Not reproduced on v18 Safari. Not reproduced in Chrome with the same reduced test setup. We are seeing a Safari-only rendering issue affecting an ad creative inside an iframe on both desktop Safari and iOS Safari. What we observe: The issue is reproducible in Safari on OS X and iOS v26. We do not reproduce it in Chrome with the same test setup. We can reproduce it in a minimal test case, outside our site app code. The issue appears tied to the rendered iframe document/layout, not our outer page layout. The problematic rendered structure inside the iframe looks like this: <div class="GoogleActiveViewElement" style="display:inline"> <ins class="dcmads" style="display:inline-block;width:320px;height:50px"> <script src="proxy.php?url=https%3A%2F%2Fwww.googletagservices.com%2Fdcm%2Fdcmads.js"></script> </ins> </div> Here is a simplified, local-reproducible version for testing: <div class="GoogleActiveViewInnerContainer" style="left:0px; top:0px; width:100%; height:100%; position:fixed; pointer-events:none; z-index:-9999;"></div> <div class="GoogleActiveViewElement" style="display:inline"> <ins class="dcmads" style="display:inline-block;width:320px;height:50px"> <script> document.write( '<a target="_blank" href="#"><img ' + 'src="data:image/svg+xml;utf8,' + encodeURIComponent( '<svg xmlns="http://www.w3.org/2000/svg" width="320" height="50">' + '<rect width="320" height="50" fill="#ffd8d8"/>' + '<text x="160" y="30" text-anchor="middle" font-family="Arial" font-size="14" fill="#222">' + 'img placeholder' + '</text>' + '</svg>' ) + '" ' + ' alt="Advertisement" border="0" width="320" height="50" style="display:block" /></a>' ); </script> </ins> </div> In Safari, this produces extra vertical spacing / cutoff above the ad. In the test code you will only notice an added top spacing, but when rendered in a live ad, the bottom gets cut off. A few details that may help: If we manually change the inner ins.dcmads from display:inline-block to display:inline, or adding overflow:hidden, the spacing issue goes away. If the loader script is moved outside the ins during manual experimentation, the issue also goes away. This makes it look like a Safari layout/rendering issue involving an inline wrapper around an inline-block ad container during script-driven rendering. Questions: Is this a known Safari/WebKit layout issue involving inline + inline-block content in iframe documents? Has there been any recent Safari/WebKit change that could affect this rendering path? Is there a preferred reduced repro format for reporting layout issues like this?

Background We are investigating Safari’s Prevent Cross‑Site Tracking feature (part of Intelligent Tracking Prevention / Link Tracking Protection) on iOS and macOS (latest versions). We fully understand and respect Safari’s privacy objectives and are not requesting any whitelisting or relaxation of protections. Our goal is to understand how Safari determines when and where query parameter stripping is applied, so we can design a compliant and predictable implementation. Based on public WebKit and privacy documentation, it is understood that Safari’s tracking prevention behavior may be influenced by: Tracker classification sources such as: DuckDuckGo Tracker Radar https://github.com/duckduckgo/tracker-radar EasyList / EasyPrivacy https://easylist.to/easylist/easyprivacy.txt WebKit privacy architecture and heuristics, including behavior described in: WebKit “Private Browsing 2.0” / Link Tracking Protection documentation https://webkit.org/blog/15697/private-browsing-2-0/ Request for Guidance To help us align fully with Safari’s privacy model, we respectfully request guidance on: How Safari determines, at a domain or subdomain level, when to apply query parameter stripping under Prevent Cross‑Site Tracking. Whether evaluation may be influenced by: Tracker classification sources (e.g., domain reputation or known tracking endpoints) Runtime network behavior (such as cross‑site analytics requests) Subdomain‑specific context or historical behavior Whether Prevent Cross‑Site Tracking is evaluated: Per navigation event Per domain or subdomain Based on cumulative or runtime signals Whether Apple recommends specific design patterns or alternatives for handling essential, non‑tracking URL data in a way that is compatible with Safari’s privacy protections. Our objective is to design a solution that respects Safari’s intent and avoids reliance on fragile or unpredictable URL‑based behavior.

Hello All, I have a app which has a WKWebview loading some code from a remote origin - https://my-company.example.com When WKWebview loads remote origin, that page does load some of the sub-resources from in-app localhost server (GCDWebserver), i.e. reach out to a loopback based in-app GCDWebserver, now to provide a secure context I had an existing setup with self signed cert, CORS and everything needed for https on localhost. And the sub-resources used to load fine from https localhost till 26.4 Starting with iOS 26.4 it started breaking with TLSv1_ALERT_UNKNOWN_CA Is there any known guidance for this? Technically as per w3c spec, localhost is considered secure context by default right? and no special things need to be done. But ios/Webkit seem to be different in this regard. Is this a known issue, and is there any mitigation here? I'll try to provide a sample app soon if possible.

We are experiencing an issue after Xcode 26.0 to load local javascript files to WKWebView to render our own design. it used to work well, however after Xcode 26.0, when [self.webView loadFileURL:fileURL allowingReadAccessToURL:accessURL]; it returns [PID=1514] WebProcessProxy::hasAssumedReadAccessToURL(3198190): no access self.webRootPath = [[NSHomeDirectory() stringByAppendingPathComponent:@"Documents"] stringByAppendingPathComponent:CHAT_VIEW_WEB_ROOT]; NSFileManager *fileManager = [NSFileManager defaultManager]; NSError *error = nil; if (! [fileManager fileExistsAtPath:self.webRootPath]){ [fileManager createDirectoryAtPath:self.webRootPath withIntermediateDirectories:NO attributes:nil error:&error]; } NSURL *accessURL = [NSURL fileURLWithPath:self.webRootPath]; Not sure how to assign access permission to WKWebView. Any help much appreciated.

According to our crash analytics, our application crashes while a context menu is opened on a web view. This crash takes place on iOS 26+ only. The messages states that a web view is no longer inside active window hierarchy, however we doesn't modify web view instance's parent anyhow while the context menu is opened. Can you please help with a fix or at least workaround for this issue? What's your opinion for bug localization (application or framework)? NSInternalInconsistencyException UIPreviewTarget requires that the container view is in a window, but it is not. (container: <WKTargetedPreviewContainer: 0x14b442840; name=Context Menu Hint Preview Container>) userInfo: { NSAssertFile = "UITargetedPreview.m"; NSAssertLine = 64; } Crashed: CrBrowserMain 0 CoreFoundation __exceptionPreprocess + 164 1 libobjc.A.dylib objc_exception_throw + 88 2 Foundation -[NSMutableDictionary(NSMutableDictionary) initWithContentsOfFile:] + 0 3 UIKitCore -[UIPreviewTarget initWithContainer:center:transform:] + 660 4 UIKitCore (Missing) 5 UIKitCore (Missing) 6 UIKitCore (Missing) 7 UIKitCore (Missing) 8 UIKitCore (Missing) 9 UIKitCore -[_UIContextMenuPresentation present] + 56 10 UIKitCore +[UIView(UIViewAnimationWithBlocksPrivate) _modifyAnimationsWithPreferredFrameRateRange:updateReason:animations:] + 168 11 UIKitCore (Missing) 12 UIKitCore (Missing) 13 UIKitCore (Missing) 14 UIKitCore (Missing) 15 UIKitCore +[UIView(UIViewAnimationWithBlocks) _setupAnimationWithDuration:delay:view:options:factory:animations:start:animationStateGenerator:completion:] + 516 16 UIKitCore (Missing) 17 UIKitCore (Missing) 18 UIKitCore +[UIView __animateUsingSpringWithDampingRatio:response:interactive:initialDampingRatio:initialResponse:dampingRatioSmoothing:responseSmoothing:targetSmoothing:projectionDeceleration:retargetImpulse:animations:completion:] + 192 19 UIKitCore -[_UIRapidClickPresentationAssistant _animateUsingFluidSpringWithType:animations:completion:] + 316 20 UIKitCore -[_UIRapidClickPresentationAssistant _performPresentationAnimationsFromViewController:] + 516 21 UIKitCore -[_UIRapidClickPresentationAssistant presentFromSourcePreview:lifecycleCompletion:] + 400 22 UIKitCore __55-[_UIClickPresentationInteraction _performPresentation]_block_invoke_3 + 48 23 UIKitCore +[UIViewController _performWithoutDeferringTransitionsAllowingAnimation:actions:] + 140 24 UIKitCore __55-[_UIClickPresentationInteraction _performPresentation]_block_invoke_2 + 144 25 UIKitCore -[_UIClickPresentationInteraction _performPresentation] + 836 26 UIKitCore postPreviewTransition_block_invoke_2 + 104 27 UIKitCore handleEvent + 256 28 UIKitCore -[_UIClickPresentationInteraction _driverClickedUp] + 48 29 UIKitCore -[_UIClickPresentationInteraction clickDriver:didPerformEvent:] + 400 30 UIKitCore stateMachineSpec_block_invoke_5 + 48 31 UIKitCore handleEvent + 144 32 UIKitCore -[_UILongPressClickInteractionDriver _handleGestureRecognizer:] + 140 33 UIKitCore -[UIGestureRecognizerTarget _sendActionWithGestureRecognizer:] + 128 34 UIKitCore _UIGestureRecognizerSendTargetActions + 268 35 UIKitCore _UIGestureRecognizerSendActions + 268 36 UIKitCore -[UIGestureRecognizer _updateGestureForActiveEvents] + 308 37 UIKitCore -[UIGestureRecognizer gestureNode:didUpdatePhase:] + 300 38 Gestures (Missing) 39 Gestures (Missing) 40 Gestures (Missing) 41 Gestures (Missing) 42 UIKitCore -[UIGestureEnvironment _updateForEvent:window:] + 528 43 UIKitCore -[UIWindow sendEvent:] + 2924 44 UIKitCore -[UIApplication sendEvent:] + 396

According to our crash analytics, our application crashes while a context menu is closed (after being opened on a web view). This crash takes place on iOS 26+ only. Seems like WebCore::ElementContext::isSameElement is called after ElementContext has been destroyed, so it's a kind of use-after-free issue. Can you please help with a fix or at least workaround for this issue? What's your opinion for bug localization (application or framework)? EXC_BAD_ACCESS 0x0000000000000001 Crashed: CrBrowserMain 0 WebKit WebCore::ElementContext::isSameElement(WebCore::ElementContext const&) const + 12 1 WebKit __74-[WKSelectPicker contextMenuInteraction:willEndForConfiguration:animator:]_block_invoke + 84 2 UIKitCore -[_UIContextMenuAnimator performAllCompletions] + 248 3 UIKitCore (Missing) 4 UIKitCore (Missing) 5 UIKitCore (Missing) 6 UIKitCore (Missing) 7 UIKitCore (Missing) 8 UIKitCore -[_UIGroupCompletion _performAllCompletions] + 160 9 UIKitCore (Missing) 10 UIKitCore (Missing) 11 UIKitCore (Missing) 12 UIKitCore (Missing) 13 UIKitCore __UIVIEW_IS_EXECUTING_ANIMATION_COMPLETION_BLOCK__ + 36 14 UIKitCore -[UIViewAnimationBlockDelegate _sendDeferredCompletion:] + 92 15 libdispatch.dylib _dispatch_call_block_and_release + 32 16 libdispatch.dylib _dispatch_client_callout + 16 17 libdispatch.dylib _dispatch_main_queue_drain.cold.5 + 812 18 libdispatch.dylib _dispatch_main_queue_drain + 180 19 libdispatch.dylib _dispatch_main_queue_callback_4CF + 44 20 CoreFoundation __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 16 21 CoreFoundation __CFRunLoopRun + 1944 22 CoreFoundation _CFRunLoopRunSpecificWithOptions + 532 23 GraphicsServices GSEventRunModal + 120 24 UIKitCore -[UIApplication _run] + 792 25 UIKitCore UIApplicationMain + 336

I'm building a Capacitor iOS app with a plain <video> element playing an MP4 file inline. I want Picture-in-Picture to activate automatically when the user goes home — swipe up from the bottom edge of the screen (on an iPhone with Face ID) or press the Home button (on an iPhone with a Home button). Fullscreen → background works perfectly — iOS automatically enters Picture-in-Picture. But I need this to work from inline playback without requiring the user to enter fullscreen first. Setup <video id="video" playsinline autopictureinpicture controls src="proxy.php?url=http%3A%2F%2Fpodcasts.apple.com%2Fresources%2F462787156.mp4"> </video> // AppDelegate.swift let audioSession = AVAudioSession.sharedInstance() try? audioSession.setCategory(.playback, mode: .moviePlayback) try? audioSession.setActive(true) UIBackgroundModes: audio in Info.plist allowsPictureInPictureMediaPlayback is true (Apple default) iOS 26.3.1, WKWebView via Capacitor What I've tried 1. autopictureinpicture attribute <video playsinline autopictureinpicture ...> WKWebView doesn't honor this attribute from inline playback. It only works when transitioning from fullscreen. 2. requestPictureInPicture() on visibilitychange document.addEventListener('visibilitychange', () => { if (document.visibilityState === 'hidden' && !video.paused) { video.requestPictureInPicture(); } }); Result: Fails with "not triggered by user activation". The visibilitychange event doesn't count as a user gesture. 3. webkitSetPresentationMode('picture-in-picture') on visibilitychange document.addEventListener('visibilitychange', () => { if (document.visibilityState === 'hidden' && !video.paused) { video.webkitSetPresentationMode('picture-in-picture'); } }); Result: No error thrown. The webkitpresentationmodechanged event fires with value picture-in-picture. But the PIP window never actually appears. The API silently accepts the call but nothing renders. 4. await play() then webkitSetPresentationMode document.addEventListener('visibilitychange', async () => { if (document.visibilityState === 'hidden') { await video.play(); video.webkitSetPresentationMode('picture-in-picture'); } }); Result: play() succeeds (audio resumes in background), but PIP still doesn't open. 5. Auto-resume on system pause + PIP on visibilitychange iOS fires pause before visibilitychange when backgrounding. I tried resuming in the pause handler, then requesting PIP in visibilitychange: video.addEventListener('pause', () => { if (document.visibilityState === 'hidden') { video.play(); // auto-resume } }); document.addEventListener('visibilitychange', () => { if (document.visibilityState === 'hidden' && !video.paused) { video.webkitSetPresentationMode('picture-in-picture'); } }); Result: Audio resumes successfully, but PIP still doesn't open. 6. Native JS eval from applicationDidEnterBackground func applicationDidEnterBackground(_ application: UIApplication) { webView?.evaluateJavaScript( "document.querySelector('video').requestPictureInPicture()" ) } Result: Same failure — no user activation context. Observations The event order on background is: pause → visibility: hidden webkitSetPresentationMode reports success (event fires, no error) but the PIP window never renders requestPictureInPicture() consistently requires user activation, even from native JS eval Audio can be resumed in background via play(), but PIP is a separate gate Fullscreen → background automatically enters Picture-in-Picture, confirming the WKWebView PIP infrastructure is functional Question Is there any way to programmatically enter PIP from inline playback when a WKWebView app goes to background? Or is this intentionally restricted by WebKit to fullscreen-only transitions? Any pointers appreciated. Thanks!

Subject: Cross-Domain Access Behaviour in WKWebView – Clarification Required Description: We are facing a cross-domain issue in our iOS application where WKWebView loads content from one domain and attempts to access resources/data from another domain. Current Setup: App Platform: iOS WebView: WKWebView iOS Version: 26 Primary Domain: *.franconnectqa.net Data/Analytics Domain: analytics.franconnectdev.net SSL: Valid certificates configured ATS: Enabled Issue: When WKWebView loads content from franconnectqa.net, it attempts to access resources or analytics from analytics.franconnectdev.net, resulting in cross-domain restrictions. We would like to understand: Does WKWebView support cross-domain resource access by default? Are there any configuration settings that allow controlled cross-domain access? Are there known limitations regarding cookies, local storage, or session sharing across domains? Does WKWebView enforce additional restrictions beyond standard browser CORS policies? Are there recommended best practices for handling cross-domain scenarios in WKWebView? Expected Behavior: We want to determine whether: Cross-domain access is supported under certain configurations, OR The recommended approach is to align all resources under the same domain. Kindly provide guidance on the supported architecture and any configuration recommendations.

Hi, we were recently approved for the com.apple.developer.web-browser.public-key-credential entitlement and have added it to our app. It initially worked as expected for a couple of days, but then it stopped working. We're now seeing the same error as before adding the entitlement: Told not to present authorization sheet: Error Domain=com.apple.AuthenticationServicesCore.AuthorizationError Code=1 "(null)" ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)" Do you have any insights into what might be causing this issue? Thank you!

When using passkeys stored in iCloud Keychain (Passwords app) via Passkey Autofill in browsers other than Safari, the userVerification parameter is ignored and user verification (UV) is not performed. As a result, relying party servers that require userVerification = required fail validation because the UV flag is not set, causing passkey authentication to fail. This issue occurs when the following setting is disabled: Settings → Face ID & Passcode → Use Face ID For → Password AutoFill The issue is reproducible only with the following combination: Non-Safari browsers (e.g. Chrome) Passkeys stored in iCloud Keychain (Passwords app) Passkey Autofill The issue does not occur in the following cases: Safari with passkeys stored in any credential manager Non-Safari browsers using credential managers other than iCloud Keychain Steps to Reproduce: Go to Settings → General → Autofill & Passwords, and enable the Passwords app under “Autofill From”. Go to Settings → Face ID & Passcode → Use Face ID For, and disable “Password AutoFill”. Open Chrome and navigate to https://webauthn.io Enter a username and tap “Register” to create a passkey using the Passwords app (iCloud Keychain). On webauthn.io, go to Advanced Settings → Authentication Settings, and set “User Verification” to “Required”. Reload the page, tap the input field, and perform Passkey Autofill. User Verification is not triggered, and “Authentication failed” is displayed on webauthn.io. === This issue has already been reported via Feedback Assistant as FB21756948. I am posting here to confirm whether this behavior is working as intended or represents a bug, and to make other developers aware of the current behavior.

Hi, We're experiencing a WKWebView issue where the screen intermittently turns pure magenta (#FF00FF) in our production iOS app. After investigation, we traced this to WebKit's internal WKCompositingView.mm where [UIColor magentaColor] is used as a pending state indicator when coverView.hidden == NO. This matches rdar://163597990 / WebKit Bug 303157 ("Magenta flash when loading page"), which was fixed in commit 303720@main on 2025-12-01 via PR #54499. My question is simple: which iOS/Safari release includes this fix? We're on iOS 26.3 and still seeing the issue. We need to know: Is the fix already in iOS 26.3? (If so, there may be another unfixed code path) If not, which upcoming iOS version will include it? Our environment iOS 26.3, iPhone 15 Pro Max WKWebView with complex web content App codebase contains zero magenta color usage — this is purely from WebKit Related rdar://163597990 Bug 303157 — RESOLVED FIXED Bug 230531 — "Pages render as magenta after being in background" PR #54499 — Merged to main 2025-12-01 Any information about the release timeline would be very helpful. Thanks!