[Webkit-unassigned] [Bug 213510] REGRESSION (iOS 14): WKWebView does not include cookies in cross-origin images (ITP for WKWebView apps)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 6 18:41:45 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=213510
--- Comment #14 from Todd <tarsitodd at gmail.com> ---
Generally(In reply to John Wilander from comment #13)
> (In reply to Todd from comment #12)
> > Just wanted to add my two cents that this is a really big deal. All cookies
> > not working in Cordova is a serious regression, and even though some
> > solutions help, none of them fix all of the problems. We need help from
> > Apple's end and it seems very discouraging that discussion stopped here
> > nearly three months ago.
>
> Thanks for commenting. As far as I know, we have received very few developer
> reports of this being an issue. That may be because developers aren't
> testing with betas or something else. I could also have missed them but I
> hope that's not the case.
Shoot, I wish I could get feedback like this every time I complained lol.
> Niklas Merz tested right away and has communicated plenty with us on this
> change, as can be seen above. However, it would be good to hear from more
> developers both at WWDC sessions and during the long beta period after.
> There are a lot of changes that go into major releases and bugs that need to
> be screened, fixed, and put to test in subsequent betas. In this case, the
> change is deliberate and we'd have to understand more user cases to be able
> to consider any adjustments.
I'll try to be better about testing the betas in the future. It can be tricky because I work on one mac, and doing the iOS betas sometimes necessitates the XCode betas and the Safari beta and all of that. It can be tough to check
> The questions I asked Niklas Merz back in June are still valid:
> Could you explain to us what your app is doing, how it makes use of cookies
> in cross-site requests, how many different domains are involved in these
> requests, and whether those domains are part of the same organization or
> spread across multiple orgs?
So it's mainly one organization. Our organization's staging app is using the domain of https://staging.silverstreet.io for all of its networking, but with how Cordova works, our requesting URL is ionic://localhost. Maybe I'm able to match up the domains somehow using the custom schemes in Cordova, but I haven't figured it out yet. We also feed some data to google tag manager (analytics) and Twilio (messaging), but these aren't crucial to all requests after login like the onsite cookies are.
We don't do anything fancy or non-standard I believe. We have an onsite log in flow that uses secure httpOnly cookies to authenticate the user. These cookies are used on subsequent network requests as well as websocket upgrade requests to subscribe to real-time updates.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201007/a41bdf3b/attachment.htm>
More information about the webkit-unassigned
mailing list