Hi, it seems that with iOS26 the system displays two entries in the screentime report for apps that use a WKWebView: one for the app itself and one for the website that was displayed in the app. We don't see this behaviour in iOS18.7. I'm reseaching how to disable the recording for the webviews in one of our apps (written in Swift with UIKit). The STWebpageController looked promising, especially the field suppressUsageRecording, but the whole class is poorly documented. We initialized it with the bundle identifier of the app and set the url of the wkwebview as the url in STWebpageController. It looks a bit like this: webView = WKWebView(frame: .zero, configuration: config) view.addSubview(webView) //setup STWebpageController webpageController = STWebpageController() do { try webpageController!.setBundleIdentifier(bundleIdentifier) } catch{ } webpageController!.suppressUsageRecording = true addChild(webpageController!) view.addSubview(webpageController!.view) webpageController!.view.frame = view.frame webpageController!.didMove(toParent: self) //load url in webView let request = URLRequest(url: url, cachePolicy: .reloadIgnoringLocalCacheData) webview.load(request) webpageController?.url = request.url This has no effect on the recorded screentime for the webview inside our app - we still see the same time for the container app and the included webview. Any suggestions? Thanks, Heiko

Hello from Leipzig, Germany! I noticed that when vertically scrolling in Safari 26 on my Mac, the content of the website I am currently working on is visible in the tab and URL bar with a liquid glass effect. I then looked at various other websites. Some websites have an opaque top bar. Some websites have a transparent top bar where content is visible when scrolling. On the Apple website, the top bar is opaque in light mode but transparent in dark mode. Unfortunately, I can't find a way to control this behavior. Has anyone found out more about this?

While implementing Apple Maps into our web application, I have a scenario where I want to be able to drag and move some of my custom annotations around. While that is working, when "picking up" the annotation before dragging it, there is an animation which I believe is to represent the human interaction of picking up a pin from a map, I would like to cancel that animation and thought that would be possible by calling preventDefault() in the emitted long-press event, which the documentation states that annotations should emit if they are draggable. The thing is that I don't get this event to emit when long pressing an annotation. So I believe that I have found a bug. It's in this paragraph in the documentation https://aninterestingwebsite.com/documentation/mapkitjs/handling-map-events#Respond-to-map-interaction-events A long press occurs on the map outside an annotation. A long press may be the beginning of a panning or pinching gesture on the map. You can prevent the gesture from starting by calling the preventDefault() method of the event. Annotations need to be draggable to dispatch long-press events. In anybody else experiencing this or do you see any clear fix for this? Maybe there is another way to cancel that "picking up the annotation for dragging" animation. I have seemed to try anything else.

I have a very specific issue that happens only on iOS Simulator version 18.4. It does NOT happen when I run my app on a real iOS 18.4 device through Testflight. My app displays a WebView (courtesy of Capacitor, url scheme capacitor://). Inside that Webview I'm using Firebase JS API (11.2.0) and calling signInWithEmailAndPassword, which works well in all other contexts, i.e. browser, Android webview, iOS webview in all other Simulator versions, and on real devices. Only when running in Simulator 18.4, I get a failed network request: cannot parse response Fetch API cannot load https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?... due to access control checks. Failed to load resource: cannot parse reponse error: FirebaseError: (auth/network-request-failed) Everything is working correctly for both: Capacitor app webview installed on a real 18.4 device with Testflight Safari (non-webview) in the 18.4 Simulator The issue is severe for us, because we are unable to develop our app and test it in the simulator on 18.4 Simulator before pushing it through Testflight internal release. Request headers on the failed request (no response status or headers available). Request Accept: / Content-Type: application/json Origin: capacitor://localhost Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 18_4 like Mac OS X) - AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 X-Client-Version: Mobile/JsCore/11.2.0/FirebaseCore-web X-Firebase-Client: (...)

I'm developing an application that makes use of a WebView. When resuming the app I occasionally run into an issue where the application just shows as a blank page. In the Console.app I see a stack trace, however the details are hidden (see below). The stack trace is thrown from JavaScriptCore. default 13:37:07.029261+0200 outlinerrs_dioxus 1 0x1b80cd678 <private> default 13:37:07.029360+0200 outlinerrs_dioxus 2 0x1b7d50e30 <private> default 13:37:07.029369+0200 outlinerrs_dioxus 3 0x1047ec800 <private> default 13:37:07.029539+0200 outlinerrs_dioxus 4 0x1b7d37924 <private> default 13:37:07.029548+0200 outlinerrs_dioxus 5 0x1b8102a78 <private> default 13:37:07.029789+0200 outlinerrs_dioxus 6 0x1b8100cb8 <private> default 13:37:07.029834+0200 outlinerrs_dioxus 7 0x1b7ba7b0c <private> default 13:37:07.029851+0200 outlinerrs_dioxus 8 0x1b879a520 <private> default 13:37:07.029870+0200 outlinerrs_dioxus 9 0x1b817f204 <private> default 13:37:07.030159+0200 outlinerrs_dioxus 10 0x1b76bfce8 <private> default 13:37:07.030186+0200 outlinerrs_dioxus 11 0x1b76ad838 <private> default 13:37:07.030245+0200 outlinerrs_dioxus 12 0x1b76bd76c <private> default 13:37:07.030324+0200 outlinerrs_dioxus 13 0x1b22c827c <private> default 13:37:07.030424+0200 outlinerrs_dioxus 14 0x1b22c8034 <private> default 13:37:07.030461+0200 outlinerrs_dioxus 15 0x19d6df230 <private> default 13:37:07.030514+0200 outlinerrs_dioxus 16 0x19d6df1a4 <private> default 13:37:07.030584+0200 outlinerrs_dioxus 17 0x19d6bcc6c <private> default 13:37:07.030592+0200 outlinerrs_dioxus 18 0x19d6928b0 <private> default 13:37:07.030601+0200 outlinerrs_dioxus 19 0x19d691c44 <private> default 13:37:07.030607+0200 outlinerrs_dioxus 20 0x23ca6e498 GSEventRunModal default 13:37:07.030675+0200 outlinerrs_dioxus 21 0x1a300cddc <private> default 13:37:07.031049+0200 outlinerrs_dioxus 22 0x1a2fb1b0c UIApplicationMain default 13:37:07.031064+0200 outlinerrs_dioxus 23 0x104a76278 <private> default 13:37:07.031070+0200 outlinerrs_dioxus 24 0x1047a0064 <private> default 13:37:07.031254+0200 outlinerrs_dioxus 25 0x104781efc <private> default 13:37:07.031343+0200 outlinerrs_dioxus 26 0x1047493e0 <private> default 13:37:07.031352+0200 outlinerrs_dioxus 27 0x10477e1c8 <private> default 13:37:07.031358+0200 outlinerrs_dioxus 28 0x1047a0184 <private> default 13:37:07.031373+0200 outlinerrs_dioxus 29 0x1047a033c <private> default 13:37:07.031409+0200 outlinerrs_dioxus 30 0x104733724 <private> default 13:37:07.031451+0200 outlinerrs_dioxus 31 0x104464e98 <private> I tried to create com.apple.WebKit.plist in /Library/Preferences/Logging/Subsystems with the following contents: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>DEFAULT-OPTIONS</key> <dict> <key>Enable-Private-Data</key> <true/> </dict> </dict> </plist> Does anyone know how to reveal the hidden logs?

Hi,
 We’re implementing Apple Pay on the Web for a multi-tenant platform via a PSP. The PSP operates multiple HSM/clusters and gave us multiple CSRs, asking us to register all.
Our understanding: a Merchant ID can hold several PPCs over time, but only one is active at once. Questions Is there any supported way to keep more than one PPC active simultaneously for the same Merchant ID? If not, what does Apple recommend for web-only, multi-tenant setups: a single MID with PSP-side decryption & sub-merchant separation, or separate MIDs per brand/region? Any official guidance on PPC rotation and handling many domains for Apple Pay on the Web? links to official docs or prior Apple responses would be appreciated.

Can anyone of Apple give a status update whats planed with CC module scripts? Issue: https://bugs.webkit.org/show_bug.cgi?id=227967

Howdy, WKWebView feature request: allow Fullscreen API without User Gestures similar to ElectronJS' userGesture: true flag that allows devs to bypass user gesture restriction for Fullscreen API and similar executeJavaScript(code[, userGesture]) https://www.electronjs.org/docs/latest/api/web-contents#contentsexecutejavascriptcode-usergesture afaik this is allowed because of a fairly recent update to Chromium that also allows users to give Fullscreen API permissions per domain https://chromeos.dev/en/posts/using-the-fullscreen-api-without-gestures Would be greatly useful for a use case in my cross-platform app, so I can avoid rewriting all platforms to use Chromium Thanks

Safari on iOS 17, when entering characters into text input box after deleting characters, the layout is off. Here's the HTML: <body> <div id="J001" style="display: inline-block;"> <div id="J001__0" style="display: inline-block;"> <input id="J001__0__input" style="display: inline-block; height: 28px; padding:2px; border:1px solid gray;"></div> <div id="J003__0" style="display: inline-block;"> <button id="J003__0__btn" style="display: inline-block; height:34px;">a</button> </div> </div> </body> Enter "A" into text input box. Delete "A" with the backspace(x). Enter "A" into text input box, the button position will be shifted down. iOS 17 の Safari にて、テキスト入力ボックスで文字を削除した後、文字を入力するとレイアウトが崩れます。 テキスト入力ボックスに「A」と入力します。 バックスペース(x)で「A」を削除します。 テキスト入力ボックスに「A」と入力すると、ボタンの位置が下にずれます。

In a Safari Web Extension using Manifest V3, how can a content script access an HTML file that is bundled with the extension (e.g., to inject it as an iframe)? Safari's CSP seem to prevent the use of browser.runtime.getURL() in the MAIN world — is there a recommended way to load such resources securely?

Hi everyone, i'm running into a problem with my personal domain being flagged as 'deceptive website' in safari, and i can't figure out how to fix it Domain: neon0404.space This is just my personal domain - i use it for adguard home, vaultwarden, some test stuff, sometimes small web tools for friends or family Nothing illegal or malicious has ever been hosted there On july 6, i launched a very simple web utility for a friend when he opened it on ios safari, he got the red 'deceptive website warning' I checked this on other different devices - all got the same warning The next day (july 7) i submitted a review request via websitereview.apple.com, but got no reply I did some digging and found that safari safe browsing daemon pulls data from google safe browsing, tencent safe browsing, and some apple's internal lists So, going one-by-one https://transparencyreport.google.com/safe-browsing/search showed up that domain is flagged for something shady Signed up in google search console and saw my domain was flagged for 'malware links' (with no related urls listed), so looked like a false positive I audited everything related to this domain on august 5 - nothing suspicious Next day i requested a review in Google Search Console, just next day Google confirmed that everything is ok and removed the flag So, i thought, maybe this was the key and requested another review via websitereview.apple.com (august 7) No reply, domain still flagged While i was waiting, i checked domain in Tencent (https://urlsec.qq.com/check.html) - no issues Other services like VirusTotal, Norton and Sucuri showed up same result - no issues I attempted to contact regular support (even though it's not their area of responsibility), but just in case They, as expected, couldn't do anything At this point it feels like a dead end, so i'm here Has anyone been through this before? Is there any other way to escalate the review process with apple? Really appreciate any advice, as this domain is personal and linked to my username, which i want to use later

Hey everyone, After installing iOS 26 beta, I started noticing unexpected behavior in our input event handlers. Specifically, when users type into an field, event.target.value is always an empty string — but only when the JS file is loaded from a specific domain (e.g., t1.daumcdn.net). The exact same code works perfectly when hosted on other domains like t2.daumcdn.net or search1.daumcdn.net. 👉 I created a demo here: 🔗 CodePen Demo The scripts loaded from each domain are 100% identical (apart from the top-level selector). Before iOS 26 beta, this worked fine. I suspect this is related to ITP or some new cross-origin behavior in Safari, but I’d love to know if anyone else is running into this — or if someone knows a workaround. Thanks!

Currently, im on MacOS Tahoe 26 Public Beta 2, build number 25A5327h. I just recently updated to this, and now, whenever I open some sites like Amazon, or ChatGPT, it freezes my entire browser and I have to force quit it. I tried deleting the SpeakSelection.plist file which everyone swore worked, but not for me. Is this because the new update messed with resource allocation or did my user data corrupt mid-update and i have to transfer all my stuff to a new user?

When practicing a post request today I forgot to use the setvalue method. Why is this method important and needed for a post request? Don't we just encode the data to JSON and put that as the httpbody and make the request

I am trying to build and run a Safari Web Extension from Xcode and I have enabled "Allow unsigned extensions" in Safari settings. However, I see the below pop up: And, if click on the "Quit and Open Safari Extensions Preferences..." button, the project stops running on Xcode and nothing happens. What can be the issue? The extension works and runs fine if I get it from the Mac App Store and this only happens when running from Xcode. I even tried completely uninstalling the mac app store version and still facing the same issue.

The app I work on uses WKWebView to render customer data. In iPadOS 26, we observe that there is a delay when resizing the window (and thus the web view) before the content is re-rendered. The same behavior is visible in Safari. For demonstration purposes, consider this test page: https://phet-dev.colorado.edu/html/build-an-atom/0.0.0-3/simple-text-only-test-page.html Initially, the window is small: Then when the window is expanded, the content scales up temporarily: It eventually re-renders to the correct size, but then if you make the window small again, you get (temporarily): Is there anyway around this behavior? We would love to have the content reflow interactively.

I’m a developer working on a Safari Web Extension that’s distributed via the App Store and also tested locally through Xcode. I’m running into an issue that’s affecting my ability to debug errors reported to my Sentry error logging instance from production. The Problem When an error is thrown in one of my extension scripts (e.g., background.js, popup.js, or content.js), the error is sent to Sentry but the captured JavaScript error stack trace replaces the file paths with the webkit-masked-url://hidden placeholder like this: ReferenceError: Cannot access uninitialized variable. at ? (webkit-masked-url://hidden/:14677:28) at ? (webkit-masked-url://hidden/:16307:3) This happens consistently across both App Store builds and local Xcode runs. It prevents me from seeing which script the error came from or resolving the actual source code lines using uploaded source maps in Sentry. My Setup Safari Version: 18.5 (Stable on macOS) Distribution: App Store and local Xcode development Extension Type: Safari Web Extension Error Reporting: Sentry (@sentry/browser SDK) Bundler: Webpack with inline-source-map What I’ve Confirmed I can see the actual source files in Safari’s Web Inspector under the Sources tab when the extension is running. My source maps are uploaded to Sentry correctly and are associated with the matching release. Errors from Safari are being captured by Sentry, but the file URLs are masked, so stack traces cannot be resolved against my original source. My Question Is this behavior (masking file URLs in stack traces with webkit-masked-url://hidden/) intentional for Safari Web Extensions? If so, is there any supported method or workaround to allow exception stack traces to reveal the original script path (e.g., popup.js, background.js) so tools like Sentry or even console logs can point to real locations? I fully understand the privacy/security rationale behind the masking, but as the extension developer, this is making it extremely difficult to debug runtime issues in production. I’d really appreciate any insight into: Whether this masking is expected and permanent behavior If there are any entitlements, debug settings, or Info.plist keys that can alter this behavior for development or for trusted/own extensions If Apple recommends a different way to log extension errors that includes script name or source references Thanks in advance for your help! I’m happy to share more technical details or try out suggestions.

Hi guys, I'm trying to use sign in with apple in javascript, I followed the guider in the website, and almost find everything I can find in Google, but nothing help, here is my situation: I create a new App: com.yuhan.test.app I create a new service ID: com.yuhan.test.service configure a domain and return url domain: tts.perterpon.com returnURL: https://tts.perterpon.com/login create a new key for Sign In with Apple. my html code is here, it's easy, but it always told me invalid_client, I think I have done anything I need to do, can somebody help me? Thank you so much. you can test my online web site: https://tts.perterpon.com/login.html ` const buttonElementNew = document.getElementById('appleid-signin'); buttonElementNew.addEventListener('click', async () => { try { const data = await AppleID.auth.signIn() console.log('Try/Catch Data', data.authorization.id_token); const formData = new FormData(); formData.append("token", data.authorization.id_token); await fetch("", { method: "POST", body: formData, }); // Handle successful response. } catch (error) { // Handle error. } }); </script>

When creating a passkey with the PRF extension on an iPhone 15 Pro Max using Safari on iOS 18.4.1, PublicKeyCredential.getClientExtensionResults reports true; however there is no hmac-secret extension in the authenticator data as required by WebAuthn Level 3.

There is webview use in native MacOS app, there white lines on edges of webview you can observe, they are flickering if do resize the app window. i would like to get rid of them. i need help, thanks.