Subject: iOS 26 WKWebView: Remote Pages Become Unresponsive After Loading Local HTML Files Description We're experiencing a critical issue with WKWebView in a React Native 0.64.3 application where remote web pages become completely unresponsive after loading local HTML files in iOS 26. It works well before iOS26. Environment: React Native 0.64.3 iOS 26.0 Xcode 26.0.1 Using custom WKWebView implementations in Native modules Problem Details App loads local HTML files using loadFileURL:allowingReadAccessToURL: Later, when loading remote pages via loadRequest:, the remote pages load successfully but become unresponsive to user interactions This occurs even when using different WKWebView instances The issue is reproducible 100% of the time once a local file has been loaded Restarting the app and loading remote pages directly works fine Code Example: // Loading local file (works fine) [self.webView loadFileURL:localFileURL allowingReadAccessToURL:accessURL]; // Later, loading remote page (loads but becomes unresponsive) NSURLRequest *request = [NSURLRequest requestWithURL:remoteURL]; [self.webView loadRequest:request]; What We've Tried: Using different WKWebView instances for local vs remote content Comprehensive cleanup in dealloc (removing all user scripts and message handlers) Loading blank HTML before switching to remote content Using shared WKProcessPool (understanding its limitations in iOS 15+) Ensuring proper decisionHandler management in navigation delegates Resetting WKWebView configuration settings Clearing cookies and cache between loads Using loadFileRequest:allowingReadAccessToURL: instead of loadFileURL: Key Observations: The remote page renders correctly and network requests complete No JavaScript errors in console The view hierarchy appears normal in Debug View Hierarchy Touch events seem to be delivered but not processed by the web content Questions: Has Apple introduced new security restrictions in iOS 26 that affect the transition from file:// URLs to http:// URLs? Are there specific WKWebView configuration changes required for React Native applications in iOS 26? Could this be related to the React Native bridge or JavaScript context persistence? Any insights or workarounds would be greatly appreciated, as this is blocking our iOS 26 compatibility.

PLATFORM AND VERSION iOS Development environment: Xcode 16.2, macOS 15.3.2 Run-time configuration: iOS 15-18 This happens in iOS, and leads to to the hybrid home page showing users as wrongly unauthenticated, since the at cookie is missing. For context, we have a JWT token that is stored in the Keychain, and on app launch, before any WKWebViews are created, we synchronize this to the WKWebsiteDataStore as an at cookie. We have analytics instrumentation on our websitef to show that WKWebView randomly refuses to send out any cookies. – The following is a snippet from an explanation to the WebKit Slack: We are having an issue on iOS, in which WKWebView loads pages (and even subsequent reloads) without any cookies, even though we have stored cookies in WKWebsiteDataStore.default() before hand right after application launch and becoming a key window. We reference this object, store it as a singleton, (as well as a process pool), and then all webview configurations are initialized with the same data store, the same process pool, every call on the main thread. From reading the source code, it seems that if the internal IPC logic fails, the APIs for deleting and setting data records and cookies fail without any feedback in completion handlers. This bug often happens when returning from the background on iOS after a few hours. Sometimes it happens on cold launches of the app. We have mitigated a similar issue (no cookies being sent) by implementing webViewWebContentProcessDidTerminate and reloading the webview ourselves, we found that whatever webview does to reload if that method is not implemented leads to cookies not being used. There have been multiple reports of WKWebView losing cookies in recent iOS versions, and we have tried to implement all of the workarounds listed. Setting a maximumAge to the cookies we store, and doing a _ = await websiteDataStore.dataRecords(ofTypes: Set([WKWebsiteDataTypeCookies])) before accessing or modifying websiteDataStore.httpCookieStore Question: is it safe to work with WKWebsiteDataStore before a WKWebView is added as a view, if so are there any timing considerations? Are there any logs that we can take a look at, this issue is very hard to reproduce, about 2% of our users face it at scale? Is there anything that could be happening within our process (runloop issues, timing) that could be causing this issue? See multiple reports from other companies that have faced the issue: "Now the Thermonuclear Problem with WKWebViewDataStorage" https://medium.com/axel-springer-tech/synchronization-of-native-and-webview-sessions-with-ios-9fe2199b44c9 STEPS TO REPRODUCE They don't exist, because the issue only happens at scale. We just know that no cookies are sent for a small percentage of requests. We believe this to be an issue in which Webkit fails to communicate internally with whatever IPC mechanisms it has. We have not been able to reproduce this issue consistently. The best we can give is that it happens after a few hours that the app is in the background. This happens regardless of whether the WKWebsiteDataStore is persistent or not, but seems to be much worse when it is persistent. Thus we have disabled persistnet data stores and relied on nonPersistent. The issue is bad enough that we are trying to move away from relying on cookies for iOS and just use request headers which we can only set on the top level request of WKWebView. DTS Case-ID: 13154329

When trying to create an anchor with the download attribute it does not work for PDF files, it displays the files inline. Also when the download attribute is set the target attribute is ignored too. The tag: ... The behavior: It displaies the file in line. The correct behavior: The file should be downloaded and not displayed or at least displayed but with the "_blank" target (new tab). This is an issue when working with WebSockets which is closed when the file is opened inline.

Hello, Recently, there is an issue in my service that after typing korean at input element, first click event is not working. But i knew that other services are also having same problem. It happens only on Safari. Could you guys check this issue? Thank you.

Hi, we have PWA for which we´ve built a wrapper using PWA Builder tool and we are experiencing an issue with apple sign in. When we try to redirect the user to "https://appleid.apple.com/auth/authorize?...params...", a bottom sheet login prompt appears and only once the user signs in using the prompt he is then redirected to the url where he needs to sign in again and then we get the callback. We want to get rid of that bottom sheet prompt. The code we´ve tried: ` iosButton.addEventListener('click', function () { window.location.href = "https://appleid.apple.com/auth/authorize?client_id=xxxxx&redirect_uri=xxxxx&response_type=code%20id_token&scope=name%20email&response_mode=form_post"; });` The alternative code we´ve tried for which it seems that nothing happens, we only see the "Started" alert, we´ve confirmed that there is no other error : ` <script src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script> <script> (function initAppleSignIn() { try { window.AppleID.auth.init({ clientId: "{{ env('APPLE_WEB_CLIENT_ID') }}", scope: "name email", redirectURI: window.location.origin +"/auth/apple/callback", usePopup: true }); } catch (e) { console.warn('Apple Sign-In init skipped:', e); } })(); function appleButtonClicked() { alert("Started"); try { const res = await window.AppleID.auth.signIn(); } catch (err) { alert("Got error"); } alert("Got here"); } </script>

Since iPadOS 18.x WKWebView seems to have a bug within its Fullscreen API (which can be enabled via WKPreferences.isElementFullscreenEnabled). This bug has the effect that websites trying to make an element (for example a video player) fullscreen fail to do so. This does not always happen, most of the time the fullscreen mode does work fine, but sometimes (far too often to be ignored) it does not. If an instance of WKWebView shows this issue, it can not be "fixed" by reloading the page or loading other pages, this issue exists in this instance forever. My App is a web browser App so I can create and remove WKWebView instance easily (by opening or closing Tabs). And there are times where I never see this bug, and times where ever other tab shows this bug. It's totally unreliable. The App does not show any issues at all when running under iPadOS 17 or older. The issue is only present under iPadOS 18.x. After some testing I've found out that when the bug has affected an instance of WKWebView, the JavaScript call element.requestFullscreen() will work if the element is a video element, but does no longer work if it is another element (like a DIV). If an instance of WKWebView is not affected by this bug, element.requestFullscreen() will work for all HTML elements. Does anyone has experienced this bug as well? And maybe found a workaround? Or maybe found a pattern which helps to find out what exactly is triggering this bug?

Even default Safari Web Extension project is not displayed on iOS 18.4 simulator ("No extensions installed"), so it's not possible to test extensions in simulator, only on real device.

I don't think the issue is specific iOS 18. We have a web application that runs with IIS Authentication of Windows and Anonymous. Initially the app opens and the user clicks a button and triggers the "401 Challenge" via ASP.NET. The browser presents the Active Directory login, user enters credentials, clicks Sign In, and the browser hangs (may actually be negotiating something). After a few minutes the user is logged into the application. We have done a number of google searches/AI to try to determine what to change and there is no clear solution. Is there anything else to try? This problem is not seen in Chrome on iOS or on a Windows machine. Strangely it is also not seen using BrowserStack with one of their "real" devices. We have other apps that run with just Windows Authorization and this problem is not observed.

When the “Use Strong Password?” dialog appears and I select “Not Now” to manually enter my own password, the password I type is displayed in plain text instead of being masked. Since the input field is of type="password", the entered characters should be hidden as is standard for password inputs. Is there a way to prevent this behavior and ensure that the password is properly hidden even after dismissing the strong password suggestion dialog?

"The Safari web extension packager enables you to package and distribute your Safari extensions using App Store Connect from any web browser, without requiring a Mac or access to Xcode." I upload the unzipped folder I'd test in Chrome://extensions to the Safari web extension packager in App store connect. I get error: Embedded binary's bundle identifier is not prefixed with the parent app's bundle identifier. The only solution i've seen to this error involves xcode/a mac, being without which doesn't help

We are seeing an issue in Safari on iOS 26 where the a automatic unfocus of on select box dismisses the second one. <select name="choice1" onblur="console.log('onblur1');" onfocus="console.log('onfocus1');"> <option value="first">First Value</option> <option value="second" selected>Second Value</option> <option value="third">Third Value</option> </select> <select name="choice2" onblur="console.log('onblur2');" onfocus="console.log('onfocus2')"> <option value="first">First Value</option> <option value="second" selected>Second Value</option> <option value="third">Third Value</option> </select> select something in choice1. quickly tap choice2 before onblur1 is logged. At the timing of onblur1 the selection menu for choice2 is dismissed. Anyone know how to fix this behavior?

We have a JavaScript api that queries our Secure Browser to get the network information – signal strength, network name, plugged in/wifi. Everything worked fine through the Tahoe betas, still does. Now we are getting on the network name and this is breaking our UI. Was this an intentional change or a bug? The other two properties still appear to be working. And it works in all lower MacOS versions. We are currently obtaining it through AppleScript try   set ssid to do shell script "system_profiler SPAirPortDataType | awk '/Current Network Information:/ {getline; sub(/^ +/, ""); sub(/:$/, ""); print}'"   if ssid is equal to "" then     return "Not connected to any Wi-Fi network."   else     return ssid   end if on error errMsg   return "Error: " & errMsg end try

I'm looking for answer or documentation on gatekeeper and launching a MacOS app via a url scheme/custom protocol. Our application is delivered via a zip file downloaded from the web. We utilize a url scheme. The act of extracting the app from the zip registers the url scheme with the OS. From previous research/testing we found we had to break the gatekeeper lock (have the user move the app from the downloaded location) to ensure that the url is honored on first launch of the application. To ensure user compliance, we added a check to make sure that the lock has been removed by looking at the quarantine attribute. This flow is not ideal. I am looking for alternatives and was previously under the impression that if we were to move to a DMG then that would provide the user a better user experience for moving it. However, now that I am getting around to looking into it, I am seeing some implied statements that this is not the case and that the quarantine bit will just be moved from the DMG to the app. Questions: Does a DMG allow the app to be launched via custom protocol without prior launch or movement? With a notarized app, will the custom protocol work on a subsequent launch, even without prior movement?

We’re encountering an issue when trying to add non-standard headers to outgoing requests using Declarative Net Request (DNR) rules in our Safari Web Extension. Tested on macOS 15.4 with Safari 18.4. Specifically, when attempting to add a custom header such as "X-Custom-Header" using a DNR rule, the header does not appear in the request. We are able to add standard headers like "Authorization" and "Cookie" to the request successfully using the same method. This behavior suggests that Safari may be filtering or blocking non-standard headers when set via DNR rules, unlike other browsers. In Chrome and Firefox, the same rule adds the "X-Custom-Header" header without any issue. We are looking for assistance in fixing these issues and having our Safari Extension function the same as it does in Firefox and Chrome.

I reported this bug one year ago in https://developer.apple.com/forums/thread/746406, but as it is not been fixed yet, I'm going to try by opening this new incident report. iOS is not working for the Unicode Variation Selector-15 (U+FE0E) for all the characters. Can you please apply that variation selector to all your Unicode characters? I) Steps to reproduce the issue: navigate in safari to the page https://eurovot.com/vs.htm II) Expected result: as the 1st column of characters have the Variation Selector-15 (U+FE0E) applied, and the 2nd column have the Variation Selector-16 (U+FE0F) applied, the first column should always display text characters (in orange) and the second column emoji characters. III) Error result: some characters are working fine in the 1st column and displayed as text (in orange colour), but some other aren't displayed as text, they wrongly displayed as emojis instead.

TLDR: I’m searching for a possibility to allow the usage of passkeys and hardware keys for any website in a wkwebview INFO: The browser is macOS ONLY Hi, I couldn’t really find documentation or forums posts on how to implement Webauthn for signin or hardware security keys for a second factor. Or rather where those events are triggered to be handled. In Safari you have that popover, that lets you either authenticate through Passwords or with a security key. When I visit webauthn.io for testing and click either register or authenticate I get Told not to present authorization sheet: Error Domain=com.apple.AuthenticationServicesCore.AuthorizationError Code=1 "(null)" ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)" If I add func webView(_ webView: WKWebView, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping @MainActor (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) and func webView(_ webView: WKWebView, authenticationChallenge challenge: URLAuthenticationChallenge, shouldAllowDeprecatedTLS decisionHandler: @escaping @MainActor (Bool) -> Void) it doesn’t seem to change anything. I found something about the ASWebAuthenticationSessionWebBrowserSupported entitlement, but by my understanding this is used so a browser can get opened upon some other app calling a ASWebAuthenticationSession. Has anyone some guidance for me? I feel like webauthn and yubikey support are important security measures for our users. https://codeberg.org/miakoring/Amethyst/src/branch/main/Amethyst/Shared/ViewComponents/WebKit/WebViewModel.swift is the code for my webviewmodel. Delegates are in the Delecate folder https://codeberg.org/miakoring/Amethyst/src/branch/main/Amethyst/Shared/ViewComponents/WebKit

I have a Safari extension that plays audio via the javascript AudioContext API. It was working fine under iOS 17 and is now broken under iOS 18. It does not play audio at all. I've tried in both the iOS 18 public beta and the iOS 18.1 developer beta. It is broken in both of them. I've also created Feedback item FB15170620 which has a url attached to a page I created which demonstrates the issue.

在 iOS 平台使用 WKWebView 通过file://协议加载本地 HTML 文件时，存储在localStorage中的数据会在 App 后台切换、进程重启后偶尔丢失；但相同代码在安卓 / 鸿蒙平台无此问题。 现在的文档 仅明确了「默认数据存储（defaultDataStore）可将网站数据持久化到磁盘，非持久化存储（nonPersistent）仅存内存」的基础规则； 未提及「file://协议内容即使使用默认持久化存储，也会被归为临时内存存储」这一关键场景限制； 仅在WKURLSchemeHandler关联说明中隐含「自定义 URL 协议可处理 WebKit 原生不支持的 URL 方案」，但未直接关联file://的存储问题。 我找不到如何处理这个问题的官方文档，仅仅有其他的博客说需要增加http/https加载就没有这个问题。 请提供给我官方文档或者官方回复 关于出现这种file:/加载html出现问题的处理办法

"The Referer header allows a server to identify referring pages that people are visiting from or where requested resources are being used. " This header is never forwarded to server when the user is browsing the website in a WebView. This is properly maintained by other browsers but not in-app. How do I include it?

A DNR rule with lower priority is being applied before a DNR rule of higher priority on Safari. Specifically, a low-priority DNR block rule that matches a request is being applied before a high-priority DNR redirect rule that matches the same request, preventing the redirect from occurring. The only way to get the high-priority redirect rule to occur is to remove the DNR block rule. This does not occur on other browsers. I have already submitted a Feedback Assistant report about this bug: FB16535579 How to reproduce: Create/install a web extension on Safari with the declarativeNetRequest and declarativeNetRequestWithHostAccess permissions Open the Web Extension Background Content console and add a redirect rule with a high priority number. For example: await chrome.declarativeNetRequest.updateDynamicRules({addRules: [ {id: 5000, condition: {urlFilter: "||www.google-analytics.com*/ga.js", resourceTypes: ["script"], domainType: "thirdParty"}, priority: 80, action: {type: "redirect", redirect: {url: “http://www.apple.com/”}}} ]}) Add a block rule of lower priority for the same urlFilter: await chrome.declarativeNetRequest.updateDynamicRules({addRules: [ {id: 5001, condition: {urlFilter: "||www.google-analytics.com^", domainType: "thirdParty"}, priority: 1, action: {type: "block"}} ]}) Visit https://efforg.github.io/privacybadger-test-fixtures/html/ga_surrogate.html Check the network tab and see that neither a request to Google Analytics nor apple.com appear. This means that the request to Google Analytics was blocked instead of being / before being redirected Remove the block rule: await chrome.declarativeNetRequest.updateDynamicRules({removeRuleIds: [5001]}) Reload https://efforg.github.io/privacybadger-test-fixtures/html/ga_surrogate.html. Check the network tab and confirm that there is a request to apple.com, showing that the redirect rule is only applied if the lower-priority block rule is removed. The priority of the DNR rules should handle this without having to remove a DNR rule. I have confirmed that the incorrect application of DNR rule priority happens on other top level domains, with other urlFilters, and with other redirect URLs. I confirmed that this is happening while I’ve granted my extension permissions on all websites.