[Webkit-unassigned] [Bug 140205] WKWebView does not provide a way to set cookie accept policy

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Dec 13 08:37:22 PST 2018


--- Comment #18 from Lorenzo Boaro <loreboa84 at gmail.com> ---
(In reply to Niklas Merz from comment #16)
> Aside from hybrid apps (Cordova etc.) this is a serious problem for pages
> with CORS requests and cookie authetication, if they are loaded in a webview
> or Browsers like Firefox or Chrome.
> The default policy does not allow cookies for cross origin requests, too.
> Because of that we need a public API to change the policy.
> Steps to reproduce the cross origin cookie behavior:
> - Create a trivial WKWebView app
> - WkWebView opens page on domain A
> - Page on domain A sends request to domain B
> - Domain A recieves cookie from Domain B via "Set-Cookie" header.
> - Cookie does not show up in developer tools or "document.cookie"
> - Domain A sends second request to domain B which requires cookie
> - Domain B returns unauthorized response because request header contains no
> cookies
> The default policy is great for blocking unwanted tracking cookies but
> breaks apps or webpages which need to send request to user-configured
> origins for authentication.

Before iOS 12 I was able to fix this following this approach:

Now, I cannot do it anymore and for our goals is a big problem.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181213/ec9679f9/attachment.html>

More information about the webkit-unassigned mailing list