[Webkit-unassigned] [Bug 200857] New: WKWebView does not include cookies/credentials in cross-origin-requests on iOS 13 beta

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Aug 17 02:09:51 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=200857

            Bug ID: 200857
           Summary: WKWebView does not include cookies/credentials in
                    cross-origin-requests on iOS 13 beta
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: iPhone / iPad
                OS: Other
            Status: NEW
          Severity: Major
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: niklasmerz at linux.com

Like discussed here: https://bugs.webkit.org/show_bug.cgi?id=140205 iOS 13 seems to have changed its cookie handling (/blocking).

HTTP requests to other origin done with JavaScript fetch and the option "credentials: 'include'" should send cookies like they did in iOS 12.

Some steps to reproduce:

1. Create an app which loads a webpage in WKWebView (I can add a sample later)
2. Open the console of the device running the app via Safari on Mac
3. Do a CORS-request with fetch: fetch("https://cors-test.appspot.com/test" {credentials: "include"})
4. Inspect the networks tab in developer tools
5. This request will work and contain a cookie (on cookies tab) with the "Set-Cookie test=test" HTTP header
6. Do the request again
7. The network request for the second request will not send the cookie

I could reproduce this with random pages opened in WKWebView and Safari on iOS 13. If you use Cordova your app will run on "ionic://localhost" and all HTTP requests to server will fail which means the app cannot login anywhere with cookies. If I call my test server the authentication fails and I can see in the network traffic with Wireshark that no cookie header is sent.

Disabling Cross-Site-Tracking in the Safari settings does not have an effect on iOS 13 for Safari or WKWebView. I think it did on iOS 12 for Safari in this case. Like https://bugs.webkit.org/show_bug.cgi?id=140205 said there is no API to set cookie policies on WKWebView.

Apps depending on session authentication with cookies need a fix or workaround for this to work on iOS 13. Especially Cordova Apps are in big trouble since the cannot communicate with any server at all.

Details will follow. Contact me for any questions.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190817/7861dcdb/attachment-0001.html>

More information about the webkit-unassigned mailing list