[Webkit-unassigned] [Bug 213510] REGRESSION (iOS 14): WKWebView does not include cookies in cross-origin images
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jul 3 01:11:18 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=213510
--- Comment #10 from Niklas Merz <niklasmerz at apache.org> ---
That's what I thought. App-bound domains are not a solution from this problem.
You commented in the other bug:
> If possible, it would be nice to test that this'll work with the ITP relaxation for app-bound domains too.
Why not relax ITP for custom schemes or webcontet from the apps bundle in WKWebView in some way? I am thinking about this for some time now. Cordova implemented a custom scheme to serve web content from the apps bundle. (The scheme and hostname is configurable now). So ITP does not protect users from malicious websites because the website is part of the app code. The webcontent in this case is just like a native app that want's to talk to external servers with cookie sessions.
Why not introduce a custom scheme for serving local content (like localhost) and relax ITP for that scenario? Using file: has other problems with web content and CORS.
Just thinking out loud. I am not sure about further implications and other problems.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200703/d3cd9ed5/attachment.htm>
More information about the webkit-unassigned
mailing list