ASWebAuthenticationSession cookie

I am currently experiencing strange behavior with 302 redirects and cookies. Safari seems to execute a 302 redirect immediately after reading the Location header and before evaluating the following Set-Cookie header. On some devices in Browserstack it works, on others, it doesn't.The cookie is still read, but it is only available for the following requests, not yet for the redirect itself. Since this happens during the login, the first request after the login results in a 403, but reloading helps. It is not a general problem since it works on some devices that use the exact same OS and Safari version. Presumably, slower devices work.Is there a way to change this behavior or do I need Safari to be fixed by Apple?

Hello everybody,I'm having a hard time trying to figure out what is going on with my socket filter, for testing I wrote a simple echo client/server in python, client sends a random blob to server, server then send blob back to the client, which then verifies it.Problem happens when the amount of data I'm trying to send exceeds 500KB, following is the error (stacktrace) I'm getting:(lldb) bt* thread #5, name = '0xffffff8021440d48', queue = '0x0', stop reason = EXC_BREAKPOINT (code=3, subcode=0x0) * frame #0: 0xffffff8014f79a7a kernel.development`panic_trap_to_debugger [inlined] current_cpu_datap at cpu_data.h:401 [opt] frame #1: 0xffffff8014f79a7a kernel.development`panic_trap_to_debugger [inlined] current_processor at cpu.c:220 [opt] frame #2: 0xffffff8014f79a7a kernel.development`panic_trap_to_debugger [inlined] DebuggerTrapWithState(db_op=DBOP_PANIC, db_message=<unavailable>, db_panic_str=m_free: freeing an already freed mbuf@/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu/xnu-4570.71.13/bsd/kern/

Hi,One of the features of a browsing component am working on is to allow users to visit a potentially dangerous site (with a self-signed certificate for example) after being shown a warning explaining the dangers of said site and so on.Have successfully allowed this by implementing the `WKNavigationDelegate` method:func webView(_ webView: WKWebView, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void)and returning a `URLCredential` using the `URLCredential(trust: someTrust)`, where `someTrust` is found in the challenge's protection space and the authentication method matches `NSURLAuthenticationMethodServerTrust`The problem I am having is that the browsing component is also supposed to be able to clear any currently trusted sites without losing the current back/forward list.Short of blowing away the `WKWebView` instance and initializing a new one with a new `WKWebViewConfiguration`, I am unable to acheive this. Am tryi

Hi,is ASWebAuthenticationSession checking the App Transport Security Settings when it calls the give URL? For example if I configure Certificate Transparency for the domain of URL, will the domains certificate be correctly verified?Background is that we want certificate pinning for our authentication flow and as fare I undertand it that is not possible with ASWebAuthenticationSession. Certificate Transparency can be configured in ATS and if ASWebAuthenticationSession obeys to ATS, that would be a valid replacement for pinning the cert. Thanks!BestAlex

It would be great to add a JavaScript interface to IDFA to Safari in light of ITP 2.1. It could follow the established pattern:https://developer.apple.com/documentation/adsupport/asidentifiermanagerThis would be a great solution for everyone involved. Essentially, organizations with multiple websites have had to try and use cookie/iframe hacks to replicate what IDFA seamlessly provides on iOS across multiple apps. With ITP 2.1 most of these web hacks will be broken. So we will be forced to jump through even more hoops using requestStorageAccess() to again try and mimic what IDFA does out of the box. A homegrown solution will always lack the global user control provided by the IDFA integrated into the os, and therfore be inferior.With IDFA, a tested precedent is already established. If we could access it via JavaScript in Safari a lot of concerns would be resolved.

It is announced that all persistent client-side cookies, i.e. persistent cookies created through document.cookie, are capped to a seven day expiry with ITP 2.1.But I can't find any description on the impact on iOS applications which using UIWebView or WKWebView or SFSafariViewController from the official documents(https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/)From my investigation, a cookie can be created by several ways.1. Using document.cookie in the loading page.2. Executing JavaScript using WKUserScript.3. Using NSHTTPCookie.I suppose that 1 and 2 will be affected by the change except 3 but I am not convinced about it.Is there any information about this?

My app has a .m3u8 live stream and I would like to use avassetresourceloader to control the https connection as ssl pinning is required for my app. As the stream is protected with signed cookie function by aws, I cannot find the way to set the cookie to the avplayer at the shouldWaitForLoadingOfRequestedResource callback, and the request to the .ts file keep returns 401.Another problem is that when i tried a stream without cookie restriction, the playback is success on iOS 12 only. For iOS 11 or lower, the avplayer returns -12884 CoreMediaErrorDomain Playlist File not received.Is there any way to solve this/other method to do ssl pinning with avplayer playing m3u8 livestream? Thank you

Hello all,My team lead gave me permission to view app analytics and reports about a week ago, but I am still unable to view them. When I view myself under 'Users and Access' I see this:https://i.imgur.com/GAJyhf3.pngand when I click on the 'Permissions' button I see this:https://i.imgur.com/WXt8Ddi.pngHowever, when I go to my AppStoreConnect dashboard, this is all I see:https://i.imgur.com/cGzFpGW.pngIf I click on the 'Analytics' button on the app listing pagehttps://i.imgur.com/pgzkvtp.pngThis is all I see:https://i.imgur.com/uWCySTF.pngI have tried clearing cache and cookies, switching browsers, switching networks, waiting for a while (Its been nearly a week at this point), so I'm wondering if there are any other steps I can perform to get this working.Thanks for the help!Adam

I'm using ASWebAuthenticationSession using Authorization Code Flow. In this flow I get a code token back from ASWebAuthenticationSession that I exchange for access and refresh tokens from my server. I store those in KeyChain. This works fine, but the problem is when I want to log out and log in with a different account.Logging out is two steps:1. Throw away my keychain tokens2. Call ASWebAuthenticationSession to logout from the servers.The second step has a strange user experience though, as it will ask concent for logging _in_! If I skip this step, and try logging in again using ASWebAuthenticationSession, it will not show the web view unless enough time has passed since the previous login.So, I was thinking that most users don't login and logout often so I could check if enough time passed since the login and then skip step 2. Not good, but still an improvement.Does anyone know how long that timeout is? I tested and it seems it may be one hour. Perhaps it's some kind of cookie

UIWebView is deprecated and Apple urges us to switch to WKWebView. Unfortuately WKWebView seems to be still lacking far too many features to be a valid replacement of UIWebView. Therefore I would likt to know if there are ideas how to achieve the following tasks...Proxy SupportWhen using UIWebView we could easily route all network through an App-specific proxy. All you need to do is to implement NSURLProtocol for https and https requests and handle the proxy there. WKWebView does not support NSURLProtocol and does not have any seting for a proxy. Configuring the proxy at system level is not an option, because there's only a proxy setting for WLAN available here, not for mobile internet (G3/G4/LTE), and the systems setting is applied to all other Apps as well. So all Apps which require their own Proxy can not use WKWebView right now (for example kid-safe browsers which need to filter the web). Caching, Offline UsageWhen using UIWebView and NSURLProtocol it's possible to control all network requests for the mai

I'm the admin for an enterprise account, and I cannot see the iOS 13, tvOS, watchOS or macOS beta downloads. I can only see the Xcode 11 beta on the Beta Software Downloads page.I received the prompt for the new licence agreement, which I have accepted. I've logged in and out, cleared cache / cookies, still nothing.I've noticed a few other enterprise account users complaining about the same issue.Are enterprise customers not allowed to download these betas?

Much of the What's new in Managing Devices session was spend on Extensible SSO, which seems very interesting. https://developer.apple.com/documentation/devicemanagement/extensiblesinglesignonssoI understand that this is not the same as Sign in with Apple.Are there resources for sample code for SSO extensions? What's the API that apps will need to take advantage of the SSO extensions? ASWebAuthenticationSession or something else? Specifically, I'm trying to get a sense of how much effort existing apps will need to adopt this system, and how quickly SSO providers will be providing solutions.Thanks!Aaron

Hi Apple team,Have been exploring the Sign in with Apple in iOS 13 .https://developer.apple.com/documentation/authenticationservices/asauthorizationappleidcredentialOur app has been using Cookie based login and app flow, but with Sign in With the apple as far as i explored there is no option with cookies. Could you please clarify on this .