Preface: Since the details of the vulnerability are not described in detail, based on my interest in the topic, specific details are shown in the attached diagram.

Background: The Navigation API is a standard, modern web platform API, not specific to WebKit’s internal code, but implemented by WebKit (and other browser engines like Chromium and Gecko) for use by web application developers.

To implement the Navigation API in a WebKit-based environment (like Safari) while adhering to the Same-Origin Policy (SOP), you must focus on intercepting and managing navigation events within the same origin.

The Navigation API is designed to work strictly within the current browsing context and only exposes history entries with the same origin (matching protocol, host, and port) as the current page.

Related Mechanisms – Developers can use controlled mechanisms to relax the SOP when legitimate cross-origin communication is necessary: window[.]postMessage(): A method for securely communicating between scripts in different windows or iframes regardless of their origin, using message passing.

Vulnerability details: A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. Processing maliciously crafted web content may bypass Same Origin Policy.

CWE-346 is a logic failure where the code tries to check the origin but does it incorrectly (e.g., your WebKit case where it validated the host but ignored the port).

Impact: An attacker could use maliciously crafted web content to bypass SOP entirely, potentially accessing sensitive data from other sites, such as session tokens or credentials.

Official announcement: Fix – Apple addressed this in March 2026 through its new Background Security Improvements system for iOS 26.3.1 and macOS 26.3.1.