The issue was addressed with improved checks. This issue is fixed in Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1 and iPadOS 26.1, tvOS 26.1. A malicious website may exfiltrate data cross-origin.
The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Safari | Apple | * | 26.1 (excluding) |
| Ipados | Apple | * | 26.1 (excluding) |
| Iphone_os | Apple | * | 26.1 (excluding) |
| Tvos | Apple | * | 26.1 (excluding) |
| Visionos | Apple | * | 26.1 (excluding) |
| Watchos | Apple | * | 26.1 (excluding) |
If a cross-domain policy file includes domains that should not be trusted, such as when using wildcards under a high-level domain, then the application could be attacked by these untrusted domains. In many cases, the attack can be launched without the victim even being aware of it.