[Webkit-unassigned] [Bug 213510] REGRESSION (iOS 14): WKWebView does not include cookies in cross-origin images (ITP for WKWebView apps)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 7 08:23:31 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=213510

--- Comment #16 from John Wilander <wilander at apple.com> ---
(In reply to Adam Davenport from comment #15)
> Huge thank you to Niklas Merz for leading the discussions on these issues.
> 
> I am also a Cordova (hybrid app) developer. I'd imagine there are a lot of
> developers that are just now seeing their employers prioritize the
> transition from UIWebView to WKWebView and will be facing this issue soon if
> not already. Our static content is packaged into the app and could be served
> from a custom schema (eg. foo://mydomain.com), but every XHR request will be
> over https, (eg. https://mydomain.com). A login request works fine, but the
> cookies in the header of the response are NOT set, and therefore subsequent
> API requests (which require authentication cookies) fail. I have NOT tried
> XCode 12 yet, but in light of the "very few developer reports of this being
> an issue" comment, I decided to make an account and chime in here. Cross
> origin cookies are critical to our app, and the track record of this issue
> makes me extremely nervous that it could break at any time:
> 
>  * broken in iOS13: https://bugs.webkit.org/show_bug.cgi?id=140205
>  * fixed in 13.2: https://bugs.webkit.org/show_bug.cgi?id=200857#c39
>  * broken again in 13.3: https://bugs.webkit.org/show_bug.cgi?id=204109
>  * fixed in 13.3 beta 4: https://bugs.webkit.org/show_bug.cgi?id=204109#c25
>  * broken again on ios14: (this issue)
> 
> If you're looking for more developers to say "this is an issue" I'd be happy
> to start posting a link to this issue from the github and stackoverflow
> questions about it. Thanks all for sharing your experiences/ideas.

Hi, Adam, and thanks for commenting! “Broken” is not an accurate description of how this works in iOS 14. It’s an announced, deliberate change. WKWebView now has tracking prevention enabled by default.

The same questions are still valid:
Could you explain to us what your app is doing, how it makes use of cookies in cross-site requests, how many different domains are involved in these requests, and whether those domains are part of the same organization or spread across multiple orgs?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201007/2d681852/attachment.htm>

More information about the webkit-unassigned mailing list