ASWebAuthenticationSession cookie

I'm porting a Chrome extension to Safari. All works well besides the auth flow, which uses SameSite=Strict cookies. On Chrome, such cookies are easily set and work as expected, but not on Safari. Now, as I understand, technically, requests from chrome-extension:// and safari-web-extension:// origins are cross-site in relation to the server, which makes me think that on Chrome, the SameSite=Strict attribute is simply ignored as an exception for extensions. With that said, the backend team wants to keep the attribute for security reasons and so removing it or replacing it with SameSite=None isn't an option. Is this an intended behavior of Safari or a bug? Is there a way to get around this without changing the attribute?

It all started an hour ago when I tried to download the Network Link Conditioner (I need to test the macOS application I'm developing with a slower network connection). I went to XCode > Open Developer Tool > More Developer Tool. It opens a Sing In page for apple developer. When I sign in with my account, it just refreshes the page and asks me to Sign In all over, stuck in a loop. Otherwise, I'm able to Sign In to all the other parts of the developer website, I have an active membership, all license agreements are up to date. Apple's status site shows everything operational. What I tried: Clearing cookies & cache Different browsers (including Safari) Updating & restarting everything Navigating from https://developer.apple.com/download/ to More tab on the website instead of going through XCode Signing in with a passkey instead of a password Tried using a VPN Going to the Developer Support page (https://developer.apple.com/support/) and trying to press Get Started to reach out to support

Hi,One of the features of a browsing component am working on is to allow users to visit a potentially dangerous site (with a self-signed certificate for example) after being shown a warning explaining the dangers of said site and so on.Have successfully allowed this by implementing the `WKNavigationDelegate` method:func webView(_ webView: WKWebView, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void)and returning a `URLCredential` using the `URLCredential(trust: someTrust)`, where `someTrust` is found in the challenge's protection space and the authentication method matches `NSURLAuthenticationMethodServerTrust`The problem I am having is that the browsing component is also supposed to be able to clear any currently trusted sites without losing the current back/forward list.Short of blowing away the `WKWebView` instance and initializing a new one with a new `WKWebViewConfiguration`, I am unable to acheive this. Am tryi

We are relying on ASWebAuthenticationSession to do web authentication. Since the API doesn't support POST requests directly we have to generate local file in ~/Library/Application Support//WebAuth.html containing the POST and use initial URL as file:///Users//Library/Application%20Support//WebAuth.html Problem is that Safari sometimes pops a dialog Confirm the file to load and sometimes it doesn't. This doesn't depend on Full Disk access TCC. Does anybody know a way to prevent this from happening? MDM option or something? Also styling of the popup is a rather poor UI choice - looks very confusing and like the user may choose another file to load. Chrome f.e. doesn't do such popups. I already have FB13340210 for this.

Hi, Getting reports from a client that they are being asked to re-login to their PWA (saved to their home screen) whenever they turn off their iPads for periods of 1-2hrs and then turn it back on again. Just noting, this isn't related to the 7 day cap on cookie data in webkit as we've already addressed this. I've tested just turning it off for a few minutes on a standard iPhone with iOS17 but don't experience the same issue. Does anyone know if it is part of iOS's device restart to clear PWA cookies etc. if the device has been off for a long time? The only other avenue I can think of is that the client's devices may have some MDM setting for this. Thanks in advance.