[Webkit-unassigned] [Bug 140205] WKWebView does not provide a way to set cookie accept policy

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 20 00:39:07 PST 2018


--- Comment #16 from Niklas Merz <niklasmerz at linux.com> ---
Aside from hybrid apps (Cordova etc.) this is a serious problem for pages with CORS requests and cookie authetication, if they are loaded in a webview or Browsers like Firefox or Chrome.

The default policy does not allow cookies for cross origin requests, too. Because of that we need a public API to change the policy.

Steps to reproduce the cross origin cookie behavior:
- Create a trivial WKWebView app
- WkWebView opens page on domain A
- Page on domain A sends request to domain B
- Domain A recieves cookie from Domain B via "Set-Cookie" header.
- Cookie does not show up in developer tools or "document.cookie"
- Domain A sends second request to domain B which requires cookie
- Domain B returns unauthorized response because request header contains no cookies

The default policy is great for blocking unwanted tracking cookies but breaks apps or webpages which need to send request to user-configured origins for authentication.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181120/21bb93ae/attachment.html>

More information about the webkit-unassigned mailing list