Safari 26.5 Tightens Browser Defenses With Fresh CSS Tools and Dozens of WebKit Fixes

select:open { border: 1px solid skyblue; }

Jen Simmons, who wrote the WebKit blog post announcing these features, called it “a clean way to style the open state.” The change supports progressive enhancement. Browsers that don’t understand the pseudo-class simply ignore the rules. The elements continue to work.

Another update refines the random() function. Safari introduced it in version 26.2. The CSS Working Group later adjusted how named random values behave. Values such as random(--size, 100px, 200px) now produce a single global result shared across elements. This matches the updated specification. Developers who need per-element randomness can add the element-scoped keyword. The older element-shared option has been removed.

Consider two boxes that should share the same random width and height. The global behavior delivers that consistency without extra work. Need eight differently sized squares? Apply element-scoped. Each element draws its own value. Simmons noted the practical benefit: “If you want eight differently sized squares, you can now use the element-scoped keyword to scope the name to the element.”

SVG gradients received attention too. The color-interpolation attribute now supports linearRGB. Default behavior stays in sRGB. Switch to linearRGB and saturated colors transition more evenly. The difference appears most obvious in vibrant gradients. Accurate color math matters for designers who expect predictable results across browsers.

JavaScript and web APIs expanded. The ToggleEvent interface adds a source property. It references the element that triggered a popover or other toggle. Event listeners can now inspect what opened the UI. This detail proves useful for analytics or conditional logic inside handlers.

The Origin API arrived as well. It provides structured ways to create and compare origins. Developers avoid manual string parsing or pulling in the Public Suffix List for same-site checks. The API handles opaque origins gracefully. Comparisons that once returned null now behave predictably. One example from the WebKit blog shows constructing origins from a message event or a URL string, then testing isSameSite. The code reads cleaner. Security decisions become less error-prone.

TidBITS highlighted the security focus in its coverage. The publication noted that the 11 vulnerabilities addressed in Safari 26.5 had already been fixed in broader operating system updates. It advised users to install via Software Update at their convenience since no in-the-wild attacks are known. Some readers reported staggered rollouts. Apple Silicon Macs received the update alongside macOS 15.7.7 while certain Intel systems lagged briefly. The pattern reflects Apple’s phased deployment strategy for older hardware.

Security researchers and the developer community reacted quickly on X. Posts pointed to the WebKit blog and Apple’s notes. One Japanese account shared the feature list. Another highlighted the 21 CVEs. The conversation stayed technical. No major complaints surfaced about compatibility. That quiet reception suggests the changes land as refinements rather than disruptions.

Look closer at the vulnerability mix and patterns emerge. Many involve memory management. Use-after-free bugs and improper handling of crafted content appear repeatedly. One fix prevents an iframe from hijacking another site’s download settings. Another blocks apps from accessing sensitive data through insufficient protections. The CSP bypasses could have allowed malicious scripts to run in contexts meant to be restricted. Taken together, these patches harden the browser against common attack classes.

Web developers benefit from the standards alignment. The :open pseudo-class reduces reliance on JavaScript for simple state styling. Updated random() behavior matches other browsers that implement the same spec changes. SVG color interpolation brings Safari in line with expectations set by design tools. The Origin API simplifies cross-origin messaging logic that powers many modern web apps.

Yet the real story may lie in the bug fixes. Sixty-three corrections touch nearly every corner of the rendering engine. Scroll animations, grid and flex layouts, hanging punctuation, high-DPI cursor support, decompression streams. The list goes on. Each fix removes a small friction point. Over time those points add up to a noticeably more stable browser. Users who keep dozens of tabs open or rely on complex web applications stand to gain most.

Apple’s approach here follows a familiar rhythm. Feature additions travel alongside security work. The company publishes detailed release notes for developers and exhaustive security content for transparency. That combination builds trust. Enterprises can audit the changes. Developers can test against the new APIs immediately.

Broader context matters. This update coincides with iOS 26.5, which brought end-to-end encryption for RCS messages and other system improvements. Safari 26.5 shares the WebKit foundation, so many fixes apply across Apple’s platforms. The security content document for Safari explicitly calls out availability for both Sonoma and Sequoia. Older macOS versions miss these protections unless Apple backports them separately.

Future releases promise more. Safari Technology Preview builds already test later features. Spec work on CSS and web APIs continues. The Origin API, for instance, opens doors to better privacy controls in third-party contexts. Improved random functions could influence generative design tools that run in the browser. Each incremental release nudges the web platform forward.

For now, Safari 26.5 delivers a solid mix. Stronger defenses against memory exploits and policy bypasses. Practical new selectors and functions for authors. A long tail of layout and rendering corrections that make the browser more dependable. Professional users should install it. The risks of staying behind outweigh any minor adjustment period. And the new tools give front-end teams fresh options without waiting for the next major version.

Watch how adoption unfolds. Early feedback on forums and social channels remains positive. The gradual rollout on older macOS point releases appears to have smoothed out. Security teams will appreciate the detailed CVE list. Developers will experiment with :open and element-scoped in their next projects. Both groups get what they need from this release. That’s the quiet power of these point updates. They accumulate. They matter.