Weblock uses a whitelist, not a blacklist, and it is domain based. Once you allow a domain, it can be browsed by a child. You can allow it forever/15 minutes/1 hour.
How it works: WKWebView, before loading a page, asks the backend if the domain is allowed. If not, it shows "Not allowed" screen and a "Request access" button - child can tap it and you (parent) will get a notification.
So traffic is not going through the backend or a filtering VPN, the app just asks the backend if a page (domain) is allowed to visit.
Visits are logged, so you, as a parent, can see what your child has been browsing. How much time did he spend on a homework website.
Some WKWebView callbacks used for that: * onShouldStartLoadWithRequest - to intercept a request and check if it's allowed * onLoadProgress - to show loading progress bar * onNavigationStateChange - to track browsing history
Also I had to implement a workaround for buggy Screen Time in iOS 26 - even if you add Weblock to "always allowed" apps, iOS will still treat each website as a separate "app" and block it, asking to you "allow' each website on system level. It happens inside WebKit codebase, but luckily this bug has another bug in it - if you re-open a website, it suddenly works and all other websites in this session work tooSo I need to listen to `onScreenTimeBlockingStateChange` event and automatically reload a website if that happens.
Also I added an ad blocker to Weblock. It uses uBlock Origin filters, converts them to WKWebView content rule JSON format and feeds to WKWebView. The app checks the backend if rules are updated and updates a local copy.
What's next: need to get "Default Browser" entitlement from Apple. Then you can block Safari on kid's phone using Screen Time and have Weblock open all HTTP(S) URLs.
App is written in React Native, no performance issues. Backend is Ruby on Rails.