This is broken for wildcard cookie injection. Definitely an issue with iOS 16 and I see no release notes or documentation that covers it. Specifically injecting a cookie on a site such as sub.example.com with the domain .example.com used to work but no longer does and this contradicts the Apple documentation: https://developer.apple.com/documentation/foundation/httpcookie/1393015-domain If the domain does not start with a dot, then the cookie is only sent to the exact host specified by the domain. If the domain does start with a dot, then the cookie is sent to other hosts in that domain as well, subject to certain restrictions. See RFC 6265 for more detail. Injecting with sub.example.com works as expected. Injecting with example.com does not work.

Update on this: I submitted a sample project to Apple. However, I have found that this works on Apple's website in the sample app but not on our own which points to a web config issue. This was working in previous iOS versions, is no longer working in iOS 16, and there has been no change posted by Apple so I am still convinced something is wrong here. Just waiting for a response...