[Webkit-unassigned] [Bug 204558] Expose public API for registering URL schemes as secure and as bypassing content security policy

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=204558

roger at oooh.tv <roger at oooh.tv> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |roger at oooh.tv

--- Comment #2 from roger at oooh.tv <roger at oooh.tv> ---
This (accessing a custom URL scheme handler in HTML loaded into WKWebView via https) has become a significant hurdle for our application as well. We were dismayed to find that no existing API could influence WebKit's decision to block the load: CORS headers, Content-Security-Policy, "Allow Arbitrary Loads in Web Content" NSAppTransportSecurity setting, adding a content blocker rule to WKWebViewConfiguration's WKUserContentController upgrading the custom url scheme to https via "make-https". The custom URL scheme handler is installed in the app only and means nothing outside, cannot be accessed from, anything on the Internet, so we should be able to treat it as secure, at least in some limited fashion.

This was discussed with Apple Developer Technical Support in case #749750395, they reached the same conclusion as we did, that there is simply no workaround.

Like the original poster, we would be open to *any* method of permitting loads from HTTPS origins to custom URL scheme handlers in WKWebViews. Thank you for your attention!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201105/832e5d2b/attachment.htm>