HTTPS connections blocked for URLSession with Skip Fuse

[colemancda]

I am unable to fetch a simple JSON request using URLSession

import Foundation
import SwiftUI
#if os(Android)
import AndroidNative
#endif

public struct ContentView: View {
 
    @State
    var text = ""
    
    public init() { }
    
    public var body: some View {
        ScrollView {
            Text(verbatim: text)
        }
            .task {
                do {
                    #if os(Android)
                    try AndroidBootstrap.setupCACerts()
                    let session = URLSession.shared
                    #else
                    let session = URLSession(configuration: .ephemeral)
                    #endif
                    let (data, response) = try await session.data(for: URLRequest(url: URL(string: "https://reqbin.com/echo/get/json")!))
                    text = String(data: data, encoding: .utf8) ?? "Invalid string"
                }
                catch {
                    text = error.localizedDescription
                }
            }
    }
}

AndroidManifest.xml

<?xml version="1.0" encoding="utf-8"?>
<!-- This AndroidManifest.xml template was generated by Skip -->
<manifest xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools">
    <!-- example permissions for using device location -->
    <!-- <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION"/> -->
    <!-- <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/> -->

    <!-- permissions needed for using the internet or an embedded WebKit browser -->
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />

    <application
        android:label="${PRODUCT_NAME}"
        android:name=".AndroidAppMain"
        android:supportsRtl="true"
        android:allowBackup="true"
        >
        <activity
            android:name=".MainActivity"
            android:exported="true"
            android:configChanges="orientation|screenSize|screenLayout|keyboardHidden|mnc|colorMode|density|fontScale|fontWeightAdjustment|keyboard|layoutDirection|locale|mcc|navigation|smallestScreenSize|touchscreen|uiMode"
            android:theme="@style/Theme.AppCompat.DayNight.NoActionBar"
            android:windowSoftInputMode="adjustResize">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>
</manifest>

[chbeer]

What you're seeing is the redirect by reqbin:

* Host reqbin.com:443 was resolved.
* IPv6: 2606:4700:20::ac43:48f9, 2606:4700:20::681a:6e0, 2606:4700:20::681a:7e0
* IPv4: 172.67.72.249, 104.26.6.224, 104.26.7.224
*   Trying 172.67.72.249:443...
* Connected to reqbin.com (172.67.72.249) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=reqbin.com
*  start date: Jan 15 06:37:13 2026 GMT
*  expire date: Apr 15 07:37:09 2026 GMT
*  subjectAltName: host "reqbin.com" matched cert's "reqbin.com"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://reqbin.com/echo/get/json
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: reqbin.com]
* [HTTP/2] [1] [:path: /echo/get/json]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET /echo/get/json HTTP/2
> Host: reqbin.com
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/2 403 
< date: Mon, 09 Feb 2026 14:18:40 GMT
< content-type: text/html; charset=UTF-8
< content-length: 6870
< accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
< cf-mitigated: challenge
< critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
< cross-origin-embedder-policy: require-corp
< cross-origin-opener-policy: same-origin
< cross-origin-resource-policy: same-origin
< origin-agent-cluster: ?1
< permissions-policy: accelerometer=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
< server-timing: chlray;desc="9cb3ff503e09dc90"
< cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< expires: Thu, 01 Jan 1970 00:00:01 GMT
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zy1BaqY%2FswldKjIPENepsi8GaUZ9hpd5JvmF7tEiZ0j%2FMX%2BavpyqLAz7fRSlmRZ8%2BIuuKbMjpR%2FUMUS4gHJUuajn4%2FP1G9kYIBbhvRR58KTRzp2fKqt97kAxw9g%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< referrer-policy: same-origin
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< access-control-allow-origin: https://reqbin.com
< server: cloudflare
< cf-ray: 9cb3ff503e09dc90-FRA
< alt-svc: h3=":443"; ma=86400
< 
<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131;font-family:system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;padding-left:1.5rem;max-width:60rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{line-height:2.25rem;font-size:1.5rem;font-weight:500}@media (width <= 720px){.h2{line-height:1.5rem;font-size:1.25rem}}#challenge-error-text{background-image:url("data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iI0IyMEYwMyIgZD0iTTE2IDNhMTMgMTMgMCAxIDAgMTMgMTNBMTMuMDE1IDEzLjAxNSAwIDAgMCAxNiAzbTAgMjRhMTEgMTEgMCAxIDEgMTEtMTEgMTEuMDEgMTEuMDEgMCAwIDEtMTEgMTEiLz48cGF0aCBmaWxsPSIjQjIwRjAzIiBkPSJNMTcuMDM4IDE4LjYxNUgxNC44N0wxNC41NjMgOS41aDIuNzgzem0tMS4wODQgMS40MjdxLjY2IDAgMS4wNTcuMzg4LjQwNy4zODkuNDA3Ljk5NCAwIC41OTYtLjQwNy45ODQtLjM5Ny4zOS0xLjA1Ny4zODktLjY1IDAtMS4wNTYtLjM4OS0uMzk4LS4zODktLjM5OC0uOTg0IDAtLjU5Ny4zOTgtLjk4NS40MDYtLjM5NyAxLjA1Ni0uMzk3Ii8+PC9zdmc+");background-repeat:no-repeat;background-size:contain;padding-left:34px}@media (prefers-color-scheme: dark){body{background-color:#222;color:#d9d9d9}}</style><meta http-equiv="refresh" content="360"></head><body><div class="main-wrapper" role="main"><div class="main-content"><noscript><div class="h2"><span id="challenge-error-text">Enable JavaScript and cookies to continue</span></div></noscript></div></div><script>(function(){window._cf_chl_opt = {cvId: '3',cZone: 'reqbin.com',cType: 'managed',cRay: '9cb3ff503e09dc90',cH: 'V1M9LpdVmewI0xej0je3VO7_EmmlSKcNddCLaEOAupI-1770646720-1.2.1.1-WO3g9pHjD71Z89ZcXZ_XGNVV1bGhoAAxgJe9oknyPbj7L1zG5KagI3Wv3z8Ec3UL',cUPMDTk:"\/echo\/get\/json?__cf_chl_tk=39JOTp1pwEeLqjqxDQ1dIJu_wq0TFwr63dpfR2C9.GQ-1770646720-1.0.1.1-NhBsFRMl1cSpC0X50bmZPayjBWZjoqPAE7rSI4XP2FI",cFPWv: 'b',cITimeS: '1770646720',cTplC:0,cTplV:5,cTplB: '0',fa:"\/echo\/get\/json?__cf_chl_f_tk=39JOTp1pwEeLqjqxDQ1dIJu_wq0TFwr63dpfR2C9.GQ-1770646720-1.0.1.1-NhBsFRMl1cSpC0X50bmZPayjBWZjoqPAE7rSI4XP2FI",md: 'cIvfROheUf88t8byAoTU4N5QMwwdNckSBNITVzxK9Hg-1770646720-1.2.1.1-SrBzYkyDEbhWbrGcSSnkLIVFL01na60QgWtwmY09hZa5mODq64k36g1Jum0udKdbdvyyHdlmIF1qHd8l985POOuhtytns.XCGkwlBPKiB7tDy4EVlfUXU9X7N79hw_1cqSQtMa4z7jkiBi4MwBkHhAprquNxURpjcXj9ag2gRsOoTsXx8sfoxOxgESEoZGJKcw2sTuTAVl.QXKTWBfqgKZqygX.5aYHMR_9nF4l5aHC1kD.N2nrJTNuhrPRlnT62cCUGm2ZI17Kmtqm.AEYjC_bTIOC3xeq.VozT4PD2_hg16Pus3bTnyeKBFwFdMGlDr_cS_q2t51UhRUWbPE668h0X1FOX4Ge5S2g3H80b4ncgAltdNarWKW6w6MfuUrgB550fD9LZrPx7KoiBF5OImU7Y_0LE4Pcjedt6oRDcbP3KCxtV.fjpJDxwy7Og2eqhMIrb9YnRNRet95QHqrmQREelbDL.5HbXP3SR_.nGrsCgPGoJnAynKF0vgjKjq8tuMusXQVk9EhXtk5OMvX1JelSc.SzblNW5423.BMQCIbobQnv_sSPi73QQNhtSrfjxi5xCWiCCqdRv00UNOSrL9eOebLGEwKM2htcaK.rFFgf7VdA287rWZkX.wZGx.d..kG_KnEros7hZZ9ZLYSOFHQX8wMTr0eH_MhR.NfmJqq2tIaP2bH8LTB2mN3t3kS1SjYKhwi6Q4vQ9c_6KuxIdWncF3RE7nYsNe8Lke1822z__8iVOv7c9.J4CKeUmXld.Ow6lfN3x26aX.GErCguPDJCnhU8ymtjLr.dSBV4YhlAQEpzzLm5AoapsWJmX5zO.SE7hwapvHIFHvw716DTtn8QoibiqVkj_i78ugQkzygiy2A8sg.lBLprQMwOrIxW8VC8KLO_HqtOIDWjpSTxCNFh_qBjkZcWUfnLFAbM1bqQ',mdrd: 'CX5JOMkoRc3uSgenN1OTHF_k9.SKrGpvUPRP2hjDMG0-1770646720-1.2.1.1-AZjfJ.6piF4XaOilJECQ5cveSvUK7AnWKO.COQvqQ1VSeZusbOZO2xGomziJv5CcleMk.eP3bkQopXCFD7fQ.NWA1SqEy5dfjPebydaEFh.AultX5I0tNY50zvMmgU0D85X2UwCSX1WiC3.CtHcaMG2P8gVzgIXUo3SIoKFvfUOYWSjt6NKgUF.HsD37ybRbbOd7xXj8TBkFuft480OTEo95HFkn8U4FtJ5sI7t4LBOvwPXxTJ_1bIUncYgyUgYK19p8nhf9n8OSjjZC6SItkuJacBM_rf9PiBmlNMaNM83sHA053YUQkjKjpVfmZphmDBJNnAffMavFSXR6ZaQieYJ1Kw2moBF8tBdDVQeakC_PxBkntOJsPa9EGz2PALV9dSmSxg_eGizHnZ_y84bZZa0sOdxbxpVqmrB_5yMp5w1FZ.1lKW65kerE9jG.2gH* Connection #0 to host reqbin.com left intact
htVWXXECObgJg.XDDog1_.oK78fBib3a0lIjJ.qNN32lrWeHjmEV.lDsBQsG1yB7ISL35EdHkF0WPA5wJBSIfrmcGskLcGx8RsaI_qy8ak4_rPdHgL_FFEjd_b9m8cUUVrarRdNzRyklPG1nBOeQ8fjh93XKsplWnXaf5FPizwezL20HOfa0W3RzevVLeZacxKQIv17IWNG_alwZ_bvSkQZwR2ql53G7fSAtcaNalZ9as6Bbg2R7BrBYXGSZhfGGySP832qVO8jdqFDakfxqoFTVCRz7dVaBjnylYM7xcgiDiDdNAcVstO8uHZSkDj8QVtcF2DFzyN6TDakahF7U2lDvN2evOyltQ3Gkk5_xvTwHt_pl9CBDSCB9T.7XPatBj9xHruA84cE9NQ7zbHmjIE3iDiK13N1qz9j0nkXYOiJG4rtrnPqAaWZ5TqtZLZNrlZiUYOZAieLYfSQhmy9z06WRtVxZ0VdowoFKEhmQqg77H7kH8fv7FRi1RiFigC1AlgMgDQ3pYEvO_pYOEG3MCwYTNuYOhbRB2jWrgAVDqc2xChd02XvD4jHYDwiAo1kPXIeJ77zGoiTubR99XfTbzQpectRAwTNeYQk7wJ5lyxvM8dF.nE2_lIhGqWravoWRewetAYYV26YDEPWBZajZjgtEbL4MOyLbVTWx_mtu9.SGK2xfCG8uhsIcva7SqaS7Zv23y63AaMZ8DBobCCJMZYPkpS.Ki.CaoqYfk4LzFaU0OmsZR38Ee6Yi9iL.wJ9SuQp871b2xCPgff9oYInIZoCnBKUw8OTXj9sLzB29hOsrahdN.QwNrmmUn4twoYgqCORj7PJkYaUbLwwvOI.xLWWBy1103phL6Rg_RgOisOr62W.BdH8H84kE0U9wlAWln17KiJcGCKaBdup4jqgM8qNjFKLtBjs0UKmxIzoXXaA4M3nYuq0jhIozXqK0lcfIah8FC1B9SrWojA9jdK7rGDm_eyHJTC5zykRGHyIMYwSNaJ9tYfF7a_RiZk1FpqDLs8_t4rLFUYBlL1VPvcYiVAEVLWB03c.UWlXrbmSjkRLv.nV6c7VVTnAYM2cdtWOgA0j4xK5LSFY2V_Dr0.L2aM_hVNI8C93KnVe8KojhkZan8qSRcgZ7AHpiaYW3Ac.Ggvbnrf0Tdgz3wz23MXJoMi_bj3LcUUHdJGt_813j4eyXYpML6WEia5TBefG6K.B7YN6baoNyt5PsjuONgZwgezwoKYJDistSxKbMRIau7jMCMlIGTSE0yw2OPsjlD2ibntqKqKT0k9w5NdWaA5zg9tqt0HFrS3jddXWuQ_1aNTe0Inc48XcQWMh4mHi9TAcW2uSU3epcMwsVmueIz.0V.MS0.cmNylF_zR3gBVuXcImavc9FoOeH.Ni8j2id8t6H6MEzlDaWkkTZgP7iYhJj.vRpfibMStV9gZOGLCOSQ5z2cZANxyIxs9V54lc_tgASjCHpqEX5JHsg.3RA0NKQYp4ZJa2k1G5IbvhqmtBb05jLmCbbkjjbFQPwQqvLc24kIRBhwPaZEuwdw2pkHz5vv8VKGYDKlk6tdKyV4GiebbbPfELvSimG5hKDNVLfS_7RJvyOMY7tsnYBRqFw5dsfMDCSg8_ly5YqiYJO.lrr8PppcJZfKPFezNaa1Y4p._HeuLNxoL0L05YFEfoyUVM8.X_U0kaUCgqf5w2S_APXI1Qzcp4xRGT.rEmENOeSuD0bqYDpESSFneFJQkjjPjVcF61hhJM8HDpvodFqtVvrObX3.2qCgL336mbN7nFOJAKvpdi6nAKxhQi_IYiRx7n6tHZDgiU3GRNT2Vpu_Q6VF6TbEn4DuvZ6Td0mcFlNibdH3',};var a = document.createElement('script');a.src = '/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=9cb3ff503e09dc90';window._cf_chl_opt.cOgUHash = location.hash === '' && location.href.indexOf('#') !== -1 ? '#' : location.hash;window._cf_chl_opt.cOgUQuery = location.search === '' && location.href.slice(0, location.href.length - window._cf_chl_opt.cOgUHash.length).indexOf('?') !== -1 ? '?' : location.search;if (window.history && window.history.replaceState) {var ogU = location.pathname + window._cf_chl_opt.cOgUQuery + window._cf_chl_opt.cOgUHash;history.replaceState(null, null,"\/echo\/get\/json?__cf_chl_rt_tk=39JOTp1pwEeLqjqxDQ1dIJu_wq0TFwr63dpfR2C9.GQ-1770646720-1.0.1.1-NhBsFRMl1cSpC0X50bmZPayjBWZjoqPAE7rSI4XP2FI"+ window._cf_chl_opt.cOgUHash);a.onload = function() {history.replaceState(null, null, ogU);}}document.getElementsByTagName('head')[0].appendChild(a);}());</script></body></html>%    ```

[colemancda]

iOS URLsession follows redirects, any way I can imitate that behavior?

[marcprux]

The Android URLSession should be following redirects by default as well (it is the same curl build as Linux, which also follows redirects).

I do note that curl returns a 403 Forbidden for that URL:

$ curl -fsSL https://reqbin.com/echo/get/json
curl: (56) The requested URL returned error: 403

But Safari seems to load it fine 🤔 Is it possible they are doing a User-Agent check? What if you try something like https://httpbin.io/get instead?

[marcprux]

Update: I just ran skip android test against https://github.com/skiptools/swift-android-native/blob/main/Tests/AndroidNativeTests/AndroidNativeTests.swift#L26 with a URL that performs a redirect, and it worked for me…

[marcprux]

You could also try setting a delegate and implementing willPerformHTTPRedirection to help diagnose what is going on.

[colemancda]

Thanks