Cross-Origin Frame Access Issues on ios 18.5

[rodolfoBee]

Platform

iOS

Environment

Production

Installed

Swift Package Manager

Version

8.47.0

Xcode Version

na

Did it work on previous versions?

No response

Steps to Reproduce

1. Create a page served in domainapp.domain.com and an embedded iframe that handles authentication served in auth.domain.com.
2. Add the sentry SDK with replays enabled to the app.

SDK init:

_loaderInitConfig = {
dsn: ‘***’,
tracesSampleRate: 1.0,
replaysSessionSampleRate: 0.1, // -> 0.0
replaysOnErrorSampleRate: 1.0, // -> 0.0
autoSessionTracking: true, // -> false
integrations: (defaultIntegrations) => defaultIntegrations,
tracePropagationTargets: [‘localhost’, /^//],
};

Expected Result

No errors.

Actual Result

When running on ios 18.5 the follow error is raised:

Blocked a frame with origin "https://app.domain.com" from accessing a frame with origin "https://auth.domain.com". Protocols, domains, and ports must match.

Current findings from the user:

• The issue occurs only in iOS 18.5 Safari WebView (in our hybrid app environment).
  On macOS Safari 18.5, the same flow works without any problem.
  A critical API call made after an authentication process fails silently in iOS 18.5 WebView only when Sentry Replay is enabled.
  When Replay is disabled (replaysSessionSampleRate = 0.0, replaysOnErrorSampleRate = 0.0), the issue no longer occurs.
• Our login process involves embedding a cross-origin iframe that handles authentication.
  After authentication completes, the parent page makes an API call, but in the problematic environment, the request does not reach the server.
  We suspect that the issue is related to how Replay captures or interacts with iframes in the iOS 18.5 WebView environment.
• Since this issue only occurs in iOS 18.5 Safari WebView with Replay enabled, we suspect there may be a conflict caused by Replay’s internal mechanisms (such as iframe instrumentation or session capture logic).

The issue does not happen on ios 18.3 or lower.

Reported in this internal ticket. .

Are you willing to submit a PR?

No response

[linear]

COCOA-493 Cross-Origin Frame Access Issues on ios 18.5

[linear]

JS-769 Cross-Origin Frame Access Issues on ios 18.5

[mydea]

cc @billyvg could you maybe take a look at this?

[billyvg]

Seems similar to #13173 -- though it's surprising the invalid frame access is breaking their login process. We may want to consider not recording iframes by default