I've a strange problem which is only occurring on 2 client devices. We have enabled Universal links, and have it fully tested and working. On one client device, the link never opens our app; but here's the strange thing: If I long-press on our link (in Messages), it gives a preview (as expected), and the context menu offers "Open in ", as well as "Open in Safari". Tapping on "Open in " does nothing. I've tried the following: Checked I could access the site-association file over https with no redirects Enabled developer mode and used universal link debug feature: pasted the same link - Developer mode says it will open the app. I've carried out the sysdiagnose; And there are entries in there for our app in swcutil_show.txt. Snipped below: Service: applinks App ID: <my fully qualified app bundle id> App Version: 760.0 App PI: <LSPersistentIdentifier 0x6b8008930> { v = 0, t = 0x8, u = 0x45c, db = DC8D18A2-430D-4AD4-A5BE-B7A003CF9A6F, {length = 8, bytes = 0x5c04000000000000} } Domain: www.<mydomain>.com Patterns: {"/":"/cc/*"}, {"?":{"t":"*"},"/":"/md/"} User Approval: unspecified Site/Fmwk Approval: approved Flags: Last Checked: 2025-04-29 09:10:21 +0000 Next Check: 2025-05-04 08:42:50 +0000 -------------------------------------------------------------------------------- Service: applinks App ID: <my fully qualified app bundle id> App Version: 760.0 App PI: <LSPersistentIdentifier 0x6b8008930> { v = 0, t = 0x8, u = 0x45c, db = DC8D18A2-430D-4AD4-A5BE-B7A003CF9A6F, {length = 8, bytes = 0x5c04000000000000} } Domain: <mydomain>.com Patterns: {"/":"/cc/*"}, {"?":{"t":"*"},"/":"/md/"} User Approval: unspecified Site/Fmwk Approval: approved Flags: Last Checked: 2025-04-29 09:10:21 +0000 Next Check: 2025-05-04 08:42:50 +0000 -------------------------------------------------------------------------------- Service: applinks App ID: <my fully qualified app bundle id> App Version: 760.0 App PI: <LSPersistentIdentifier 0x6b8008930> { v = 0, t = 0x8, u = 0x45c, db = DC8D18A2-430D-4AD4-A5BE-B7A003CF9A6F, {length = 8, bytes = 0x5c04000000000000} } Domain: *.<mydomain>.com Patterns: {"/":"/cc/*"}, {"?":{"t":"*"},"/":"/md/"} User Approval: unspecified Site/Fmwk Approval: approved Flags: Last Checked: 2025-04-29 09:10:21 +0000 Next Check: 2025-05-04 08:42:50 +0000 -------------------------------------------------------------------------------- The version numbers match the installed version of my app I've tried running logging and just capturing logs before and after I press the "open in ", but there's nothing suspicious in there. And the kicker - it's only happening on a single device. No other devices are experiencing this.

We have a payment process in an app which involves loading up a Web page to allow a user to enter credit card details, and to complete a transaction. This web page may result in a 3D-Secure step up challenge. For PCI compliance purposes we launch this in a SFSafariViewController. This 3D secure process involves a collection of redirects, with a final one back to us known as the "Merchant Page". In here, we want to do one more redirect, using a custom URL scheme, to allow the app to recognise that the process has completed, and can safely dismiss the SFSafariViewController. In those cases where no "step up 3d challenge" occurs, the process works well, the final redirect occurs, and our app successfully dismisses the SFSafariViewController. However, in a step up challenge, the Merchant Page loads, but any attempt to do the final custom redirect does not execute. I believe this is a feature of Safari - What I think is going on is that enough time has passed since there was user interaction on the page, and the final redirect, which isn't a https or http link (it is a myapp:// link) simply gets ignored. We've tried a lot of things. One thing works: If we provide a button, and when it is tapped, it sets window.location.href = 'myapp://success?', this works. This is a clue to if it is cause by lack of user interaction. We've tried lots of things: Rather than a javascript redirect, we tried server side redirecting; we tried all of the HTTP 300 response codes. They were all ignored We tried the meta refresh (which we know is kinda deprecated). We tried window.location.href = , window.location.assign(), document.location.href, document.location.assig(), etc. We tried issuing an Ajax XMLHttpRequest, but this failed because it isn't https or http We even tried to suggest our non-standard URL was the source of a script, just to trigger it but it didn't work. We've tried calling in during body onload We've tried calling it using a timeout in case timing was relevant. My gut feeling here is this is a feature. I've used Safari Debugging, and it literally steps over the window.location.href assignment, and doesn't produce a warning or an error. We've added try/catch, and no exception was thrown. Again, it leads me to believe this is all by design (perhaps to prevent ad fraud or something?). I was kinda hoping that in the response, we'd be able to specify a CORS header that tells the browser that "it will be ok to use resources from myapp://", but haven't found the right one. We may end up having to simply produce a button with a message "Your transaction has completed, please press here to dismiss", but it is terrible UX that is unnecessary. I've seen a number of posts elsewhere suggesting that redirects without user interaction can be considered suspicious, and I've experience of this same problem on another browser. If anyone has cracked this one, I'd love to know how