Safari SOP bypass patched
A social thread reported a Same‑Origin Policy bypass affecting Safari and in‑app WebViews that was addressed in iOS 26.1 via Background Security Improvements. The note surfaced as part of recent security discussions about web integration on Apple platforms. (x.com)
Apple has patched a WebKit flaw that could let malicious web content break the web’s same-origin rule, using its new Background Security Improvements system. (support.apple.com) The same-origin policy is the browser rule that keeps one site from reading data loaded by another site, like keeping tabs in separate locked rooms. Apple’s advisory said the bug could let “maliciously crafted web content” bypass that protection because of a cross-origin issue in the Navigation API. (support.apple.com) Apple published the fix on March 17, 2026, as iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). The company assigned the issue CVE-2026-20643 and credited researcher Thomas Espach. (support.apple.com) Background Security Improvements are Apple’s new channel for shipping smaller security fixes between full operating-system updates. Apple says the feature is supported starting with iOS 26.1, iPadOS 26.1, and macOS 26.1, and it is meant for components including Safari, WebKit, and other system libraries. (support.apple.com) That matters for Safari and in-app web views because WebKit is the engine underneath both. On iPhone and iPad, browsers and embedded web content rely on WebKit, so a WebKit bug can affect far more than the Safari app alone. (support.apple.com) Apple said the flaw was fixed with “improved input validation” in the Navigation API. In plain terms, that means WebKit now checks web requests more carefully before allowing one page to act like it belongs to another. (support.apple.com) The company also changed how these patches are delivered. Apple says content eligible for this system has been moved into cryptographically sealed “cryptexes,” which can be updated separately from the rest of the operating system. (support.apple.com) On Macs, Apple says Safari security improvements delivered this way can take effect as soon as Safari is quit and reopened, even before a full restart. On iPhone and iPad, the improvements activate on restart and need less battery than a standard software update. (support.apple.com) Users can check the setting under Privacy & Security and leave “Automatically Install” turned on. Apple says turning the feature off delays those fixes until they are rolled into a later software update. (support.apple.com) The patch closes a hole in one of the web’s basic isolation rules, and Apple is now delivering that kind of fix through a system built to move faster than full releases. (support.apple.com)
