GitLab Duo

GitLab Duo AI

GitLab Duo AI

GitLab Duo AI

GitLab Duo AI

GitLab Duo AI

GitLab Duo AI

GitLab Duo AI

GitLab Duo AI

GitLab Duo AI

GitLab Duo AI

Why is no one talking about the fact that Artifacts are not loading in mobile apps, either for Android or iOS?

Here's what Claude itself dug up on this topic # Why Claude Artifacts Fail to Load in the Claude iOS App — Research Findings (May 2026) ## Direct Answer The failure you are seeing on iPhone — where even a one‑line ` Hello World ` HTML artifact or a trivial React component hangs and then shows *“Loading is taking longer than expected / There may be an issue with the content you’re trying to load / The code itself may still be valid and functional”* — is **not a bug in the code you (or Claude) wrote**. It is a known, structural limitation of how the Claude iOS app renders artifacts inside its embedded WebView. The artifact sandbox iframe (served from `claudeusercontent.com`) is unable to complete its `postMessage` handshake with the host page when the host is the iOS app’s WKWebView rather than the `https://claude.ai\` browser origin, so the iframe stays empty and the app eventually times out with the generic “loading is taking longer than expected” message. Multiple independent sources in early 2026 explicitly describe Claude’s mobile apps as having “restricted” or “no” artifact rendering support, and Anthropic’s own Help Center quietly scopes the more advanced artifact features (“MCP integration” and “persistent storage”) to *“Claude web and desktop”* only — mobile is not listed. There is no hidden toggle in the iOS app that fixes this; the only reliable workarounds are to view the artifact in mobile Safari (logged in to claude.ai) or to switch to the desktop browser / Claude Desktop app. ----- ## 1. The Root Cause: WebView Origin Mismatch in the `postMessage` Handshake Every Claude artifact — HTML or React — is rendered inside a cross‑origin sandbox iframe loaded from `https://www.claudeusercontent.com\`. Before that iframe will execute or display anything, it performs a `postMessage` “handshake” with the parent page to confirm that the parent is a legitimate, trusted Claude surface. The handshake code (visible in the minified bundle as `requestHandshake()` in `7905-…js`) calls `window.postMessage(..., targetOrigin)` and expects the parent’s origin to be `https://claude.ai\`. A bug report filed against Anthropic on April 1, 2026 (GitHub issue [anthropics/claude-code #42064](https://github.com/anthropics/claude-code/issues/42064), “Published artifacts show blank screen — postMessage origin mismatch (app://localhost)”) documents the exact failure pattern in detail. The console errors observed are: ``` Uncaught SyntaxError: Failed to execute 'postMessage' on 'Window': Invalid target origin 'app://localhost' in a call to 'postMessage'. at 7905-1f7e271de70b4d3c.js:1:6920 (requestHandshake) Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://www.claudeusercontent.com') does not match the recipient window's origin ('https://claude.ai'). ``` The critical phrase is **`app://localhost`**. That is the custom URL scheme used by Capacitor‑/Ionic‑style hybrid iOS apps when they load their bundled web assets inside a `WKWebView` (Android equivalents are `https://localhost` or `capacitor://localhost`). When the Claude iOS app loads the chat UI inside its WebView, the document origin is *not* `https://claude.ai\` — it is something like `app://localhost`. When the artifact iframe then tries to `postMessage` back to its parent using `https://claude.ai\` as the expected origin, the browser engine refuses to deliver the message because the actual parent origin doesn’t match. The handshake never completes, the iframe never receives its bootstrap payload, and the iOS app’s UI eventually surfaces the timeout fallback you are seeing. This explains every part of the symptom set: - It happens with the simplest possible artifacts (a single ` ` tag) because the failure is at the *transport / handshake* layer, before the artifact’s actual content is ever evaluated. - It happens identically for HTML and React artifacts (they share the same sandbox iframe loader). - It works in desktop browsers, because there the parent origin is the expected `https://claude.ai\`. - The error message even concedes the point: *“The code itself may still be valid and functional”* — Anthropic’s own UI is admitting it never got to run the code. The same class of issue is well documented by hybrid‑app developers more generally: Capacitor’s WKWebView serves the app from a custom scheme, and cross‑origin iframe `postMessage` calls fail with errors like *“Blocked a frame with origin ‘https://domain.com’ from accessing a frame with origin ‘capacitor://domain.com’. The frame requesting access has a protocol of ‘https’, the frame being accessed has a protocol of ‘capacitor’. Protocols must match.”* (Capacitor issue #5225). iOS’s WKWebView, since iOS 14, also enables Intelligent Tracking Prevention for third‑party iframes by default, further restricting cross‑origin iframe behavior. In short: this is an architectural mismatch between (a) Anthropic’s artifact sandbox, which was designed to be embedded only in t