fix: use legacy Safari push path only for existing legacy subscribers

sherwinski · sherwinski · commit 7dd974230aa7 · 2026-03-30T13:03:53.000-04:00
Safari 16.4+ supports standard Web Push (VAPID), but
`window.safari.pushNotification` was never removed. The SDK checked
for API existence to decide the push path, which routed ALL macOS
Safari users through the legacy flow — even on versions that fully
support VAPID. When the legacy push package validation fails (e.g.
invalid allowedDomains), this causes the error:
"Safari url/icon/certificate invalid or in private mode"

Now `useSafariLegacyPush()` checks the actual permission state: only
users who have already granted legacy push (with a valid deviceToken)
stay on the legacy path. New users on Safari 16.4+ are routed through
the standard VAPID flow via `useSafariVapidPush()`.
diff --git a/src/shared/environment/detect.ts b/src/shared/environment/detect.ts
@@ -19,8 +19,27 @@ export const supportsServiceWorkers = () => {
 
 export const windowEnvString = IS_SERVICE_WORKER ? 'Service Worker' : 'Browser';
 
-export const useSafariLegacyPush = () =>
-  isBrowser() && window.safari?.pushNotification != undefined;
+/**
+ * Returns true only when the user has an active legacy Safari push subscription.
+ *
+ * Safari 16.4+ supports standard Web Push (VAPID), but `window.safari.pushNotification`
+ * was never removed. Previously this function returned true whenever that API existed,
+ * which forced ALL macOS Safari users onto the legacy path — even on browsers that
+ * fully support VAPID. Now we check the actual permission state: only users who have
+ * already granted legacy push (and have a deviceToken) stay on the legacy path, because
+ * Safari doesn't support migrating from legacy push to standard web push.
+ */
+export const useSafariLegacyPush = (): boolean => {
+  if (!isBrowser() || window.safari?.pushNotification == undefined) {
+    return false;
+  }
+  const safariWebId = OneSignal?.config?.safariWebId;
+  if (!safariWebId) return false;
+
+  const { permission, deviceToken } =
+    window.safari.pushNotification.permission(safariWebId);
+  return permission === 'granted' && deviceToken != null;
+};
 
 export const supportsVapidPush =
   typeof PushSubscriptionOptions !== 'undefined' &&
