This is impacting a major commercial experience for Coca-Cola, among others: https://www.coca-cola.com/us/en/offerings/star-wars/holocreator

Thank you for the report, and particularly for the test case! This will need deeper analysis by experts, however I will add a couple notes: - I'm observing what seems like even more broken behavior. After reproducing once, on subsequent tries I see the permissions getting immediately denied without even showing a dialog. And if I force relaunch Safari, then the dialog shows up, but the permission gets denied even when I tap Allow (I don't think that this happened on the first try, but I can't be certain, as I don't see how to reset the state). - Cross origin frame permissions are intrinsically tricky, as it's not feasible for the user to understand which entity it's giving the permission to.

<rdar://problem/163218053>

Hi, so happy to have found this, we're experiencing the same issue. I hope this helps. Context: The problem we are facing is that when Gyro permissions are requested through an iFrame (hosted on a different domain) simply does not work, with no real error. Previous versions of iOS works, and Android works. ——— Setup: I have created a testbed to validate this issue using two of my personal domains. Please do not distribute these domains, this is purely to test. The testbed is setup as follows: The “host” page - which is the main page you look at going into https://sensors.outdev.io/ which contains the following: - Step 1 - Request Permissions - This simulates requesting the permissions on the HOST and passing it through to the CLIENT iFrame - Step 2 - iFrame Configuration - This sets where the CLIENT is loaded from, as well as what format to pass in the permission requests - Step 3 - Initialize iFrame - I did not want the iFrame to be mounted on page load to give us the ability to change parameters. - [ Console Output ] - The console output of the HOST site - [ iFrame View ] - The actual iFrame rendered The “client” page - which is the sub-page the iFrame loads which captures the device’s Gyro and displays the live motion updates within the page, as well as displays the camera output - [ Camera Output ] - When camera is turned on you’ll see the output here - Controls - This is where you can activate the Camera and the Gyro tracking [ Assumes permissions are inherited, otherwise it will request ] - [ Gyro Output ] - When the Gyro works, this will display information —————— Note: Please navigate to the above “Host” url on a device that has Gyro (such as an iPhone). There is no tracking and no analytics. The Host and Client website are as minimal and simple as possible, you can see all the code used when inspecting the source. —————— How to quickly reproduce this issue: - On a device with iOS 26 on, navigate to https://sensors.outdev.io/ - Scroll down to Step 3 and click “Open Sensor Iframe” - Once loaded, scroll down the Client site to [ Controls ] and click the “Start Gyro” button - Scroll down to see the output of gyro —— Actual result: - Gyro output does not show any values and is not updated Expected result: - Gyro output updates live with current motion values

This bug also impacts our service. We can't receive any motion events even after requiring permission in the iframe behind a user gesture.

This somehow got fixed through a different bug, duping. *** This bug has been marked as a duplicate of bug 301751 ***

Hey @Alexey - thanks for the update! Im not too clued up on the process here, when its marked as resolved does that mean the fix is released? Do I just need to update the OS?

Hey @Alexey - thanks for the update! Im not too clued up on the process here, when its marked as resolved does that mean the fix is released? Do I just need to update the OS?

It is not released yet, just landed in the WebKit open source repository two weeks ago. We don't discuss future Apple releases here, so I won't be able to answer questions about ETA.