[Webkit-unassigned] [Bug 213510] iOS 14: ITP causes issues for hybrid (WKWebView) apps using cookies for authentication etc.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Feb 10 14:13:25 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=213510

--- Comment #37 from John Wilander <wilander at apple.com> ---
(In reply to Mad from comment #36)
> WTF? No really, WTF?
> 
> Why on earth app-bound domains (in fact all of them are: primary domain +
> subdomains) are not sharing cookies? This is do dumb.

Cookies matching the top frame registrable domain (eTLD+1) are available according to the regular cookie scoping rules (domain attribute etc). No blocking of those.

> You guys haven't heard and not aware of session cookie commonly shared
> across all subdomains (ie. *.myapp.com)?

Session cookies typically mean non-persistent cookies. What you refer to are same-site cookies or perhaps same-party cookies. Regardless, the cookies you refer to are available and not blocked if their domain indeed matches the top frame registrable domain.

> I understand the point of ITP and apperciate Apple for taking care of my
> privacy by blocking annoying tracking bloatware, but why you didn't think
> about legit stuff?
> 
> There are a lot of discussions going on on github, SO and other sites
> regarding this breaking change with no way to easily work around the
> constraint without dirty hacks or regressions in UX ("Allow Cross-Website
> Tracking" is confusing and misleading, because user session is not
> "Tracking").

As mentioned, the "session cookies" you refer to are available.

> What we should do given that WKWebView provides an essential part of our app
> hosted on dozen of subdomains (apps, resources, cdn, content, api) and we
> are a team of web developers and have no iOS developer in house?
> 
> Now most of our team (Engineering, Management, QA) struggles in trying to
> find a workaround ASAP because otherwise our app would be broken for
> thousands of our users.
> 
> Shame on you.

We try to use a respectful tone in these bug comments. I hope you are willing to do so too.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210210/3a59fdbf/attachment.htm>

More information about the webkit-unassigned mailing list