Ask HN: Safari Safe Browsing false positives persist after Google clears domain

Safari maintains two independent Safe Browsing databases: - Apple/social_engineering,any_platform,url_expression (Apple-proprietary, 943 KB) - Google/social_engineering,osx,url_expression (Google's list)

The sync appears one-directional: Apple copies additions from Google but does NOT process deletions. A domain cleared by Google Safe Browsing remains permanently blocked in Safari with no automated removal path.

Reproduction: 1. Navigate to https://openvan.camp/ in Safari → full-screen red "Fraudulent Website Warning" 2. Same URL in Chrome/Firefox/Edge → no warning 3. Delete ~/Library/Caches/com.apple.Safari.SafeBrowsing/ → relaunch Safari → warning reappears immediately from fresh DB download

All external databases show clean: - Google Safe Browsing: clean - VirusTotal: 0/65 vendors - URLVoid: 0/35 engines - Spamhaus DBL, Gridinsoft, FortiGuard: removed/clean

Sysdiagnose confirms Safari connects to mask.icloud.com via OHTTP/QUIC every ~30 min (HTTP 200, ~450ms) yet Apple's list retains the entry on every refresh cycle. This is not a caching issue — it is a missing deletion mechanism in Apple's proprietary feed.

The original flag (March 2026) was caused by a third-party ad network (Adsterra) serving malicious redirects. It was removed on March 18. All remediations completed. websitereview.apple.com submitted March 18 — no response after 6 days.

WebKit Bugzilla: https://bugs.webkit.org/show_bug.cgi?id=310606 Apple Radar: rdar://173213501

Has anyone else hit this? Is there any known escalation path beyond websitereview.apple.com?