When using iCloud Keychain passkeys with WebAuthn (mediation: "conditional") in non-Safari browsers (e.g. Chrome or WKWebView-based browsers), Face ID / Touch ID is requested twice during Passkey Autofill. This issue occurs only when the focused input field shows a numeric keypad–style keyboard, such as: Japanese Kana Chinese Zhuyin With a standard QWERTY keyboard, authentication completes with a single user verification. Notably: Safari completes authentication with one Face ID / Touch ID prompt even with numeric keypad keyboards. Other browsers require two prompts. The issue does not occur with other credential managers (Google Password Manager, 1Password), suggesting this is specific to iCloud Keychain. This issue has been confirmed on the following OS versions: iOS 17.6.1 iOS 18.7.2 iOS 26.2 iOS 26.3 beta Impact This behavior results in a confusing and unintuitive login experience for users relying on Passkey Autofill. Steps to Reproduce: Go to Settings → Keyboards → Keyboards, and set “Japanese – Kana” as the primary keyboard. Enable Face ID / Touch ID, and make sure “Use Face ID / Touch ID For” → “Password Autofill” is enabled. Open Chrome and navigate to https://webauthn.io. Enter a username and tap “Register” to create a passkey using iCloud Keychain. Tap the username field again so that the “Japanese – Kana” keyboard appears and the passkey suggestion created in step 4 is shown. Tap the passkey suggestion. Face ID / Touch ID is requested twice. === This issue has already been reported via Feedback Assistant as FB21726047. I am posting here to confirm whether this behavior is working as intended or represents a bug, and to make other developers aware of the current behavior.

The crash is specific to iOS 26.2 prior versions working fine. WKScriptMessageHandler delegate func userContentController(_ userContentController: WKUserContentController, didReceive message: WKScriptMessage) Name attribute is accessible but WKScriptMessage body attribute causes crash The object seems to be not accessible(not in memory) self.webkit.configuration.userContentController.add(self, name: "sampleHandler") self.webkit.load(request) func userContentController(_ userContentController: WKUserContentController, didReceive message: WKScriptMessage) { print(message.name) // works print(message.body) // crashes }

This demonstrates an issue with SwiftUI's WebView on iPadOS. To repro, testing on iPad Simulator OS 26.2, macOS 26.2, Xcode 26.2. Download and unzip this project: https://drive.google.com/file/d/1z3MobjDf_RvvOtriXtinXvrJ7rGHwZRs/view?usp=share_link Set up Signing and Run the swiftui-webview App target on simulator (I'm using iPad Pro 13-inch (M5 simulator) Tap/click the fullscreen [ ] button in the bottom left corner of the webpage. Tap/click the 'X' button in the top left, to exit fullscreen. Result: The WebView exits fullscreen, but there is no content loaded, just a white background. It's also now not possible to visit other URLs - the WebView appears to be unresponsive and not repaint. This does not appear to affect macOS 26.2, just iPadOS.

aID is an ID service for 150+ newspaper sites in Norway. Since the middle of January the average login time with passkeys on our site https://www.aid.no/ has increased for Safari users, the number of logins using passkey in Safari has decreased dramatically. Previously Safari was the browser that provided the best user experience during login, since it triggered fingerprint reader straight away, but this behavior has vanished. Has something changed that we should be aware of, and is there something we can do to make conditional get great again? Without mediation conditional, the passkeys work as expected. In Chrome and Firefox, we get passkey suggestions in the username field, in Safari it's only password suggestions. To make things even stranger, the same code works as it used to in our test environment. It triggers a small popup by the username field and activates the fingerprint reader. If I cancel this, I can click on the Passwords icon and get passkey suggestion there.

Our app uses ASWebAuthenticationSession for login. This launches an incognito (ephemeral) browser window of the system’s default browser with the authentication URL. Recently, on the latest macOS Tahoe, we observe that: The browser application is launched(we could see in the dock) But the authentication window with the URL does not appear No error is returned to the app (silent failure)

Issue: On Safari, two Smart App Banners appear for the same webpage when the iOS app is installed. Cause: • Banner 1: Native Apple Smart App Banner, automatically triggered by Safari via AASA / Universal Links. • Banner 2: Smart banner injected by a third-party SDK (Branch.io). • Both operate independently, resulting in duplicate banners. Finding: Safari’s native Smart App Banner behavior is system-controlled and cannot be disabled programmatically using web rules or JavaScript while Universal Links are enabled. Question: Is this behavior expected by design? Is there any Apple-supported way to suppress the native Smart App Banner when using a third-party banner, or is the recommended approach to rely on only one banner system?

Hi Apple engineers! We are making an iOS browser and are planing to deliver a feature that allows enterprise customers to use a MAM key to set a PAC file for proxy. It's designed to support unmanaged device so the MDM based solutions like 'Global HTTP Proxy MDM payload' or 'Per-App VPN' simply don't work. After doing some research we found that with WKWebView, the only framework allowed on iOS for web browsing, there's no API for programmatically setting proxy. The closes API is the WKURLSchemeHandler, but it's for data management not network request interception, in other word it can not be used to handle HTTP/HTTPS request well. When we go from the web-view level to the app level, it seems there's no API to let an app set proxy for itself at an app-level, the closest API is Per-App VPN but as mentioned above, Per-App VPN is only available for managed device so we can't use that as well. Eventually we go to the system level, and try to use Network Extension, but there's still obstacles. It seems Network Extension doesn't directly provide a way to write system proxy. In order to archive that, we may have to use Packet Tunnel Provider in destination IP mode and create a local VPN server to loop back the network traffic and do the proxy stuff in that server. In other word, the custom VPN protocol is 'forward directly without encryption'. This approach looks viable as we see some of the network analysis tools use this approach, but still I'd like to ask is this against App Store Review Guidelines? If the above approach with Network Extension is not against App Store Review Guidelines, I have a further question that, what is the NEProxySettings of NETunnelNetworkSettings for? Is it the proxy which proxies the VPN traffic (in order to hide source IP from VPN provider) or it is the proxy to use after network traffic goes into the virtual private network? If none of the above is considered recommended, what is the recommended way to programmatically set proxy on WKWebView on an unmanaged device (regardless of where the proxy runs, web-view/app/system)?

Starting with iOS 26.2, when Safari tabs are set to Bottom or Compact view, some pages are not rendering properly. The error does not occur in Top view. For some pages, scrolling causes rendering to be very slow, causing the user to experience page breaks and missing parts. If the user waits a few seconds, the missing parts of the page will appear, but the issue will reoccur when scrolling further. We have tested this on all available iOS devices and the issue occurs on all iPhones running iOS 26.2. The issue does not occur on iOS 26.1, and we have not experienced it on devices running iOS 18. The issue can be reproduced on the following pages with an iPhone running iOS 26.2: https://fotosakademia.hu/products/course/fotografia-kozephaladoknak-haladoknak https://oktatas.kurzusguru.hu/products/course/az-online-kurzuskeszites-alapjai

There appears to be a regression or restriction in iOS 26.2 and 26.2.1 regarding the Web Authentication API in third-party browsers (browsers other than Safari). Specifically, the method PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() returns false when called from within non-Safari browsers (e.g., Chrome, Firefox, Edge) on iOS, even when the device supports biometrics (FaceID/TouchID) and Passkeys are enabled. This prevents third-party browsers from correctly detecting Platform Authenticator availability, leading websites to hide Passkey login options or default to cross-device authentication flows instead of using the local device's biometric authenticator. Environment: OS: iOS 26.2, iOS 26.2.1 Device: iPhone 17 Browsers Tested: Chrome iOS and Firefox iOS Steps to Reproduce: Launch Safari on an iOS device running iOS 26.2+. Navigate to https://www.passkeys-debugger.io/. Observe that "Platform Auth" is highlighted in Green (true), indicating the device is eligible for passkey authentication. Launch a non-Safari browser (e.g., Chrome or Firefox) on the same device. Navigate to https://www.passkeys-debugger.io/. Expected Results: "Platform Auth" should be Green (true), matching the behavior in Safari, as the device possesses a built-in platform authenticator. Actual Results: "Platform Auth" is highlighted in Red (false). Impact: This discrepancy fragments the Passkey user experience on iOS. Users preferring third-party browsers are unable to utilize the seamless on-device biometric authentication that is available in Safari. It forces developers to implement complex fallbacks or results in users believing their device is incompatible with Passkeys.

When using iOS 26.2 (23C55) Safari, the following can occur. The current tab (A) opens a new tab (B) via window.open(url, target, windowFeatures). The user clicks the "back" button to close tab B, and returns to tab A. Tab A attempts to open tab B again at a later point, using the same "target" as before, and fails (no window object is returned by window.open). This bug only occurs when the target is the same as the previously closed tab (which was closed via the back button). If a new target is specified, the new tab opens as expected. This bug is also limited to the back button. If the user manually closes tab B, then it can be re-opened by tab A using window.open using the same target as before.

Hello Apple Developer Community, I currently have a Safari Web Extension on iOS that blocks certain URLs for users. I would like to provide the same functionality for Chrome on iOS. I understand that Chrome on iOS uses WebKit under the hood, and Safari Web Extensions can run in Safari, but I am unsure whether there is any way to implement URL blocking in Chrome for iOS—either via an extension, API, or other supported mechanism. Specifically, I’m looking for guidance on: Whether any browser extension (Safari, Chrome, or otherwise) can intercept or block web requests in Chrome on iOS. If not, what Apple-supported alternatives exist for implementing URL-blocking functionality for users of Chrome on iOS. Any best practices for maintaining a cross-browser URL-blocking solution for iOS users. I want to make sure my approach is aligned with Apple’s policies and platform capabilities. Any guidance or official references would be greatly appreciated. Thank you!

When using passkeys stored in iCloud Keychain (Passwords app) via Passkey Autofill in browsers other than Safari, the userVerification parameter is ignored and user verification (UV) is not performed. As a result, relying party servers that require userVerification = required fail validation because the UV flag is not set, causing passkey authentication to fail. This issue occurs when the following setting is disabled: Settings → Face ID & Passcode → Use Face ID For → Password AutoFill The issue is reproducible only with the following combination: Non-Safari browsers (e.g. Chrome) Passkeys stored in iCloud Keychain (Passwords app) Passkey Autofill The issue does not occur in the following cases: Safari with passkeys stored in any credential manager Non-Safari browsers using credential managers other than iCloud Keychain Steps to Reproduce: Go to Settings → General → Autofill & Passwords, and enable the Passwords app under “Autofill From”. Go to Settings → Face ID & Passcode → Use Face ID For, and disable “Password AutoFill”. Open Chrome and navigate to https://webauthn.io Enter a username and tap “Register” to create a passkey using the Passwords app (iCloud Keychain). On webauthn.io, go to Advanced Settings → Authentication Settings, and set “User Verification” to “Required”. Reload the page, tap the input field, and perform Passkey Autofill. User Verification is not triggered, and “Authentication failed” is displayed on webauthn.io. === This issue has already been reported via Feedback Assistant as FB21756948. I am posting here to confirm whether this behavior is working as intended or represents a bug, and to make other developers aware of the current behavior.

We are experiencing an issue with Safari in all versions from 18.0 to 18.5 that does not occur in version 17. It affects both iPhones and Macs. And does not happen in Chrome or Windows. The problem is impacting our customers, and our monitoring tools show a dramatic increase in error volume as more users buy/upgrade to iOS 18. The issue relates to network connectivity that is lost randomly. I can reliably reproduce the issue online in production, as well as on my local development environment. For example our website backoffice has a ping, that has a frequency of X seconds, or when user is doing actions like add to a cart increasing the quantity that requires backend validation with some specific frequency the issue is noticable... To test this I ran a JS code to simulate a ping with a timer that calls a local-dev API (a probe that waits 2s to simulate "work") and delay the next HTTP requests with a dynamic value to simulate network conditions: Note: To even make the issue more clear, I'm using GET with application/json payload to make the request not simple, and require a Pre-flight request, which doubles the issue. (async () => { for (let i = 0; i < 30; i++) { try { console.log(`Request start ${i} ${new Date().toLocaleString()}`); const res = await fetch(`https://api.redated.com:8090/1/*****/probe?`, { method: 'GET', mode: "cors", //headers: {'Content-Type': 'text/plain'}, headers: { 'Content-Type': 'application/json' }, }); console.log(`Request end ${i} ${new Date().toLocaleString()} status:`, res.status); } catch (err) { console.error(`Request ${i} ${new Date().toLocaleString()} error:`, err); } let delta = Math.floor(Math.random() * 10); console.log("wait delta",delta); await new Promise(r => setTimeout(r, 1000 - delta)); } })(); For simplicity lets see a case where it fails 1 time only out of 10 requests. (Adjusting the "delta" var on the time interval create more or less errors...) This are the results: The network connection was lost error, which is false, since this is on my localhost machine, but this happens many times and is very reproducible in local and production online. The dev-tools and network tab shows empty for status error, ip, connection_id etc.. its like the request is being terminated very soon. Later I did a detailed debugging with safari and wireshark to really nail down the network flow of the problem: I will explain what this means: Frame 10824 – 18:52:03.939197: new connection initiated (SYN, ACK, ECE). Frame 10831 – 18:52:04.061531: Client sends payload (preflight request) to the server. Frame 10959 – 18:52:09.207686: Server responds with data to (preflight response) to the client. Frame 10960 – 18:52:09.207856: Client acknowledges (ACK) receipt of the preflight response. Frame 10961 – 18:52:09.212188: Client sends the actual request payload after preflight OK and then server replies with ACK. Frame 11092 – 18:52:14.332951: Server sends the final payload (main request response) to the client. Frame 11093 – 18:52:14.333093: captures the client acknowledging the final server response, which marks the successful completion of the main request. Frame 11146 – 18:52:15.348433: [IMPORTANT] the client attempts to send another new request just one second later, which is extremely close to the keep-alive timeout of 1 second. The last message from the server was at 18:52:14.332951, meaning the connection’s keep-alive timeout is predicted to end around 18:52:15.332951 but it does not. The new request is sent at 18:52:15.348433, just microseconds after the predicted timeout. The request leaves before the client browser knows the connection is closed, but by the time it arrives at the server, the connection is already dead. Frame 11147 – 18:52:15.356910: Shows the server finally sending the FIN,ACK to indicate the connection is closed. This happens slightly later than the predicted time, at microsecond 356910 compared to the expected 332951. The FIN,ACK corresponds to sequence 1193 from the ACK of the last data packet in frame 11093. Conclusions: The root cause is related to network handling issues, when the server runs in a setting of keep-alive behavior and keep-alive timeout (in this case 1s) and network timming issue with Safari reusing a closed connection without retrying. In this situation the browser should retry the request, which is what other browsers do and what Safari did before version 18, since it did not suffer from this issue. This behaviour must differ from previous Safari versions (however i read all the public change logs and could not related the regression change). Also is more pronounced with HTTP/1.1 connections due to how the keep-alive is handled. When the server is configured with a short keep-alive timeout of 1 second, and requests are sent at roughly one-second intervals, such as API pings at fixed intervals or user actions like incrementing a cart quantity that trigger backend calls where the probability of failure is high. This effect is even more apparent when the request uses a preflight with POST because it doubles the chance, although GET requests are also affected. This was a just a test case, but in real production our monitoring tools started to detect a big increment with this network error at scale, many requests per day... which is very disrupting, because user actions are randomly being dropped when the user actions and timming happens to be just near a previous connection, where keep alive timeout kicks-in, but because the browser is not yet notified it re-uses the same connection, but by the time it arrived the server is a dead connection. The safari just does nothing about it, does not even retry, be it a pre-flight or not, it just gives this error. Other browsers don't have this issue. Thanks!

Hi everyone, recently I used codex and GPT-5.2 to build a simple SSL certificate monitoring website, and I'd like to share some of my development experiences. The project link is at the end, but first, let's talk about the technical implementation. The Motivation I've encountered several service outages caused by expired SSL certificates in the past. Each time, I had to react after users reported the issue, which was very passive. While there are some monitoring tools on the market, they are either too heavy or lack the necessary features, so I decided to build my own. Technology Stack Next.js 16 + shadcn/ui + TypeScript I chose Next.js because: The development experience with App Router is excellent, with a clear mapping between routes and file structure. Server Components reduce the need for client-side JavaScript. Built-in features like image optimization and font loading are ready to use out of the box. shadcn/ui is a component library based on Radix UI, and its advantages are: Components are copied directly into your project, giving you full control. It uses Tailwind CSS, making style customization easy. It has excellent accessibility features. Drizzle ORM + PostgreSQL I've used Prisma before, but I tried Drizzle this time and found it to be more lightweight: Faster type generation. More intuitive SQL operations. Better query performance. better-auth Authentication System This is a recent discovery I made, and it's more modern than NextAuth: Better TypeScript support. A cleaner API design. Supports email/password and multiple OAuth providers (GitHub, Google). Some Challenges I Faced 1. The Complexity of Certificate Chain Validation At first, I thought checking an SSL certificate was simple—just get the certificate information. I later discovered that certificate chain validation is quite complex: You need to verify the signature of each certificate in the chain. You must check the integrity of the entire certificate chain. You have to determine if the root certificate is trusted (which browsers have built-in lists for). You need to handle cases where intermediate certificates are missing. The solution was to create a complete certificate chain extraction and validation module that includes: Extracting the full certificate chain from a TLS connection. Verifying the signature and validity period of each certificate. Detecting broken or incomplete chains. Visualizing the chain structure in a tree format. 2. Designing the Security Scoring System To help users quickly understand the security status of their certificates, I created a scoring system from A+ to F. The core logic is: Weighted score across four dimensions - Certificate Validity: 30% - Chain Integrity: 25% - Cryptographic Strength: 25% - Protocol Version: 20% If there are critical issues (e.g., expired certificate), the maximum grade is C The challenges were: How to allocate weights reasonably. How to design the penalty rules. How to provide valuable improvement suggestions. Ultimately, I adopted a layered scoring approach where each dimension is calculated independently and then combined with weights. 3. Hydration Issues with Multi-language Routing When supporting 6 languages, I encountered React Hydration errors: // ❌ Incorrect approach // app/[locale]/layout.tsx contained the <html> tag // This conflicted with the root layout // ✅ Correct approach // The root layout has only one <html> tag // Use a client component to dynamically update the lang attribute 4. Graceful Degradation for Redis Caching To improve authentication performance, I added Redis caching. But I had to consider: What happens when Redis is unavailable? How do you handle cache and database data inconsistency? The solution was: Automatically fall back to the database if the Redis connection fails. Actively invalidate the cache when the database is updated. Provide cache statistics API to monitor the hit rate. 5. PageSpeed Optimization Initially, the Lighthouse score was only in the 60s. The main problems were: Large JavaScript Bundle Used Next.js's dynamic imports to load components on demand. Removed unused dependencies. Enabled Tree Shaking. Image Optimization Used the Next.js Image component for automatic optimization. Added appropriate placeholders. Enabled lazy loading for images. Font Loading Used next/font for automatic font optimization. Reduced the number of font variants. Used font-display: swap to avoid layout shifts. Critical Rendering Path Identified critical CSS and inlined it into the HTML. Deferred loading of non-critical JavaScript. Optimized the loading order of third-party scripts. Third-party Script Optimization Deferred loading for Google Analytics, Crisp Chat, etc. Used the defer/async attributes. Considered using Web Workers for time-consuming tasks. After optimization: Performance: 60 → 95 Accessibility: 85 → 98 Best Practices: 90 → 100 SEO: 100 Some Technical Highlights Certificate Chain Visualization A tree structure is used to display the certificate chain, with expand/collapse functionality and color-coding for different statuses: Green: Valid Yellow: Expiring soon Red: Expired Security Issue Detection Automatically detects insecure cryptographic algorithms: MD5, SHA-1 signature algorithms. Weak ciphers like RC4, DES. Old protocols like TLS 1.0/1.1. Multi-channel Notifications Currently supports five notification channels: Email, Slack, Discord, Telegram, and Feishu. Users can freely combine them. Project Link https://guardssl.info Features: Free SSL certificate checking. Domain monitoring and expiration reminders. Security scoring and improvement suggestions. Multi-language support (Chinese, English, Japanese, French, Spanish). Feel free to try it out and provide feedback. We can discuss any questions you might have.

The passkey authentication dialog appears, and after unlocking with Touch ID, the dialog closes without any notification of success or failure. This issue occurs with high frequency. access to the https://passkeys-demo.appspot.com/ register account and create passkey. logoff access to the url again you can see the passkey dialog unlock device then the dialog disappears nothing happens reload the page proceed 5) to 6) nothing happens or success webauthn.