In our macOS SystemExtension, we are using Network.framework for creating web socket connection to our remote WSS server. We provide authentication token in cookies of the connection and websocket server validates it before upgrading the connection from HTTP to WebSocket. If the cookie is invalid, server returns 403 HTTP status code and closes the connection. When server returns 403, in Big Sur and Monterey, we get state update of failed(let error) where error is NWError.posix(.ECONNABORTED). However, in Ventura, we are getting state waiting(let error) where error is NWError.posix(.ECONNABORTED). As per documentation, waiting state should be received if there is any network error in establishing the connection and connection goes into waiting for network path change. But in this case, TCP connection to server is established, HTTP headers are received and validated by server and then get rejected. So shouldn't this result into connection failed instead of waiting? This behaviour has only chan
Search results for
ASWebAuthenticationSession cookie
1,295 results found
Selecting any option will automatically load the page
Post
Replies
Boosts
Views
Activity
It depends on what you're looking for. Do you want to use FIDO as an unphishable second factor to be added to a phishable first factor (e.g. a password)? Or are you looking to wholly remove phishability from accounts and use FIDO as a single factor? Do you want biometrics because theft of an unlocked device is one of the primary ways your accounts are getting compromised today, or because it checks a box about another factor? Does it have to be built in to the device, or do biometrics on an external security key meet these requirements? If you don't need something built in to the device, security keys have been around since long before passkeys. Safari introduced support for them a few years ago (so they work in SFSafariViewController and ASWebAuthenticationSession) and we introduced native API for them in iOS 15. If you have a requirement that is literally biometrics, you can enforce that only security keys with biometrics are used via attestation (though before you do so, you should consider the ex
Topic:
Privacy & Security
SubTopic:
General
Tags:
Any update on this? We use a webview to perform login and the webview shows a cookie banner, but we don't use those cookies to track.
Topic:
App & System Services
SubTopic:
Core OS
Tags:
Hi, I want to implement FIDO based biometric authentication in our app. I don't want to use passkeys because they are only compatible with iOS 16 and higher. Is there a way to use it through the SFSafariViewController, a web view, ASWebAuthenticationSession or any another method?
Topic:
Privacy & Security
SubTopic:
General
Tags:
Local Authentication
Security
Authentication Services
Hi Team, The User Enrollment introduced by Apple back was really great I was trying to test out that .As per the implementation details provided by apple for Simple Authentication - User Enrollment Flow. Below are the steps I followed to implement it. Step 1) Making a /.well-known/com.apple.remotemanagement url and sending a json as for byod which apple has detected successfully. Step 2) Apple making a POST request to BaseServer URL of MDM to get enrollment profile ( At this Step as there is not Authorization header I sent a 401 with WWW-Authenticate header with scheme and url as mentioned by apple) Step 3) Apple has requested With GET to get the html page to show to the user from the url mentioned in WWW-Authenticate header. Step 4) Here there is a tweak the HTML page I actually shown doesn't contains any form as it is for testing purposes. I Simply had a button which upon clicking sends a POST to my url with empty JSON using axios library where from the server I sent a 308 redirect with Location header as m
When opening a session to log into my website, there is, if exists, information stored in IndexDB we are trying to access from a previous session. Ideally, information from living in Safari, but would settle for information in the parent app or instance. My understanding was information 'like cookies' was available, but documentation is seemlingly vague around this topic. I have struggled to find anything explaining the availability of IndexDB specifically, although it does work in one case (I'm about to experiment with it, so I just know of one now). Upon first loading of the page, a get call: const ids: string[]; const results = await this.db.entities.bulkGet(ids); In the logs, I see there is this error: _e: Error: Error name: AbortError message: The operation was aborted. AbortError: The operation was aborted. inner: DOMException: The operation was aborted. Immediately after, because there is supposed to be some result from the database, the site creates a new entity, and stores it with no issue.
From a Hybrid Cordova app, we are attempting OIDC authentication by opening the authentication URL in SFSafariViewController. Once login is successful, the session cookie is set by the server. The Cordova app then dismisses SFSafariViewController and the authentication code is passed to the app for validation. Next time when the OIDC URL is launched again in SFSafariViewController, the session cookie is missing. We can see that cookies that are correctly set by the server in set-cookie header but are not sent by safari in the subsequent calls. This issue does not happen all the time. And it is not specific to any device model. We faced the same issue earlier in iOS 14.6 and posted a query https://developer.apple.com/forums/thread/684675 and could see others facing the same problem as well https://developer.apple.com/forums/thread/663533 but the issue got fixed on its own in the next iOS update. It has resurfaced again in the latest version (16.0.2) Not sure if any update do
If you do not collect cookies for tracking purposes on iOS ... revise them to clarify you do not track users. Do this. (Are you hosting the Matomo server instance yourself?)
Topic:
App Store Distribution & Marketing
SubTopic:
General
Tags:
But we cannot remove the cookie prompt, because it's required for GDPR compliance. I don't think so. AFAIK, if you do not use cookies, you don't have to ask. https://gdpr.eu/cookies/ To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must: Receive users’ consent before you use any cookies except strictly necessary cookies. Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received. Document and store consent received from users. Allow users to access your service even if they refuse to allow the use of certain cookies Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place. My reading of first bullet is that you need to ask only when you use cookies. Be cautious though: your site may set cookies that you don't know. There are tools to check if yo
Topic:
App Store Distribution & Marketing
SubTopic:
General
Tags:
Hi, We have a client portal app, synching data with a CRM. The last version of our app has been refused for this reason : We noticed your app accesses web content you own where you collect cookies. Cookies may be used to track users, but you do not use App Tracking Transparency to request the user's permission before collecting data used to track. Thing is : we collect data for audience measuring only (using Matomo) ; there is no advertising, and no data-broker involved, no other 3rd-parties ; we do prompt users either to accept cookie or not, only to be compliant with GDPR ; we did not implement the App Tracking Transparency notification though. It's unclear to decide what we must do. The answer of Apple is : If you do not collect cookies for tracking purposes on iOS, remove the cookie prompts or revise them to clarify you do not track users. But we cannot remove the cookie prompt, because it's required for GDPR compliance. Any idea of how we can solve th
I want to save cookies in my webview ios app and then use the cookies everytime the user opens the app. For example autologging in after user enters their login info once in the webview app. Here is how some of the code looks like: override func viewDidLoad() { super.viewDidLoad() view.addSubview(webView) guard let url = URL(string: domain.com) else{ return } webView.load(URLRequest(url: url)) webView.customUserAgent = iphone/Safari/SomethingRandom DispatchQueue.main.asyncAfter(deadline: .now()+5){ self.webView.evaluateJavaScript(document.body.innerHTML){ result, error in guard let html = result as? String, error == nil else{ return } print (html) } self.webView.configuration.websiteDataStore.httpCookieStore.setCookie(self.cookie) for cookie in self.cookies { self.webView.configuration.websiteDataStore.httpCookieStore.setCookie(cookie) } } } let cookie = HTTPCookie(properties: [ .domain: example.com, .path: /, .name: MyCookieName, .value: MyCookieValue, .secure: TR
Same issue. Lack of docs around this is pretty terrible. The best I've found is this (search for 7-day): https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/ Additionally, Safari desktop doesn't appear to support Add to Home Screen...so that seems to imply that people using a offline first web app on Safari Desktop will always be at risk for data loss. Unacceptable! I have experimented with using the StorageManager persist option with Safari Desktop in order to mark persistence as protected. However, it appears this gets reset when the browser closes and again there's a lack of documentation so it's not even clear if this would help protect against the 7-day ITP timer. Without more documentation and clear direction from Apple, I'm basically forced to tell my users not to use Desktop Safari :(
Topic:
Safari & Web
SubTopic:
General
Tags:
Been happening for about 3 weeks. Cleared cache and cookies. I've logged out and back in and rebooted my laptop. Also tried both safari and chrome. My coworkers had the same problem a couple of months ago, and it just resolved itself. Repro steps Login to app store connect tap on testflight tap on any screenshot feedback. With feedback open, I can only see Open in Xcode and OK buttons. Expected behavior :to have access to a delete button. Actual : nly see Open in Xcode and OK buttons.
Repro steps Go to App Store Connect Tap on TestFlight Under External Testing, Tap External Testers It briefly looks like its going to show me the list of external testers. The browser spins, and takes me to appstoreconnect.apple.com and the only options I see are the My Apps icon and the Users and Access icon. If I click My Apps, I can tap on our app. Taken back to our dashboard. I've tried clearing cache and cookies, logging out and restarting my computer. It's been like this for about 3 weeks. Affects both Safari and Chrome.
I love Apple. I am on safari version 16. I am loyal to Apple and use safari. I am also at university and Pearson is colluding with google chrome, the e-books work way better on there. Screen time does not work well in beta on chrome (they refuse to fix it). So my only solution is to remove cookies on safari (even then, reading the textbook is hard, and I need to reload it every couple of minutes). MANY PEOPLE STRUGGLE WITH THIS. I should be able to access my e-book with whatever browser I want. Apple is committed to helping students and has helped with compatibility before. They should partner with Pearson so safari can work with their e-books. It causes students only to use chrome (which does not work with screen time). They are infringing on the apple environment. My help post got taken down on the help forum, and they told me to post here. How can I clear cookies when I have screen time active? It does not work for some reason even though it goes through the process. They say they are gon