[Webkit-unassigned] [Bug 213879] New: Disable ITP in WKWebView used in hybrid native app
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 2 05:15:06 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=213879
Bug ID: 213879
Summary: Disable ITP in WKWebView used in hybrid native app
Product: WebKit
Version: Other
Hardware: iPhone / iPad
OS: Other
Status: NEW
Severity: Major
Priority: P2
Component: WebKit API
Assignee: webkit-unassigned at lists.webkit.org
Reporter: daniel at staffbase.com
We have a hybrid native app which uses a native frame around a WKWebView. Inside the app runs a localhost web server to which the WKWebView connects. The locally hosted web site, currently running on HTTPS protocol (using a self-signed certificate, soon to be replaced by a custom protocol), does XHR calls to some backends. Media assets are loaded from a CDN. For Authentication we use cookies, both for the user session information and for the media assets. We do so to avoid access to the credentials from within the app, as both cookies are server side, secure and httpOnly. Additionally, those cookies are also sent to our media CDN to authenticate the user and check media access, without the need to alter media URLs or add any kind of authentication token to them.
With the announcement of enabling ITP for WKWebView this scenario might not be working anymore, as we would face a 3rd party cookie context in that case, which blocks both authentication cookies.
Is there a way to whitelist a couple of backend / CDN domains, so the cookies are not blocked? Is there a way to deactivate ITP for this specific case (localhost) without user interaction.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200702/13a15f0f/attachment-0001.htm>
More information about the webkit-unassigned
mailing list