[Webkit-unassigned] [Bug 140205] WKWebView does not provide a way to set cookie accept policy

Wed Apr 29 08:53:41 PDT 2020

https://bugs.webkit.org/show_bug.cgi?id=140205

Maciej Zabielski <maciej.zabielski at tessel.pl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |maciej.zabielski at tessel.pl

--- Comment #33 from Maciej Zabielski <maciej.zabielski at tessel.pl> ---
It's been 5 years and no progress. Nice. I think its important to point out that this is not really a bug is it? Should we expect other behavior than from, e.g. Chrome when on default settings? The problem is that only default settings are available!

A Chrome browser will, by default, never send cookies to third party website with CORS request. To send cookies in that case, CORS request should be flagged on client side with XMLHttpRequest.withCredentials = true. This setting also involves cookies!

For this to be accepted, we need a response from server that includes Access-Control-Allow-Credentials header. It must be set to TRUE. Whats even worse, the value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include' (At least according to Chrome).

When all of these conditions are met, only then session cookie will be sent as well as accepted back. Chrome will still complain with message: "A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. 

I believe there are really A LOT of requirements for a "secure" browser that must be met, before it allows such connection, and most of the web servers will not implement them (CORS) correctly if at all. 

Having said that I believe that there should be a possibility to run WKWebView on iOS in a "relaxed" security mode that can be used to build Hybrid applications without craziness of using plugins to do the background communication bypassing CORS. This XHR/CORS/Cookie issues did cost us a lot of nerve wracking moments - we should not spend time on this at all. The UIWebView handled this just fine with NO security threat to the user, if used correctly in Hybrid Apps. If this such mode is not introduced, we will have to spend days developing workarounds, as ones responsible for this seems to ignore how important this is for so many developers.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200429/cb8d2fd5/attachment.htm>