[Webkit-unassigned] [Bug 227589] WKWebView javascript injection doesn't work if app includes WKAppBoundDomains

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 7 07:10:44 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=227589

--- Comment #1 from Kate Cheney <katherine_cheney at apple.com> ---
Hi, thanks for filing this.

(In reply to jcesarmobile from comment #0)
> Sample app:
> https://github.com/jcesarmobile/appboundsbug
> 
> Steps to reproduce:
> 1. Clone the app
> 2. Run the app on iOS 14 or newer (also affects iOS 15 beta 2)
> 
> Expected:
> The background should be red
> 
> Actual behavior:
> The background is white
> 
> JavaScript injection can be enabled back by adding:
> webViewConfiguration.limitsNavigationsToAppBoundDomains = true
> 

This is expected. In the blog post we mention: "Once the WKAppBoundDomains key is added to the Info.plist, all WKWebView instances in the application default to a mode where JavaScript injection, custom style sheets, cookie manipulation, and message handler use is denied. To gain back access to these APIs, a WKWebView can set the limitsNavigationsToAppBoundDomains flag in their WKWebView configuration".

> and adding localhost to the WKAppBoundDomains
> 
> <key>WKAppBoundDomains</key>
> <array>
>     <string>localhost</string>
> </array>
> 

This should not be needed. Just to clarify, if you remove this value from the Info.plist but keep limitsNavigationsToAppBoundDomains = YES in the configuration, JS injection does not work?

> 
> But according to this article
> https://webkit.org/blog/10882/app-bound-domains/, you should not need to add
> localhost as it's loading local assets.
> 
> 
> Also the article says that to enable app bound domains you can just add the
> key
> <key>WKAppBoundDomains</key>
> but that doesn't let the app to compile, you need to add an empty array.
> 

This may be an error in the docs. Thanks for pointing this out.

> 
> TLDR: Adding WKAppBoundDomains key in the info.plist should not disable
> JavaScript injection in apps that load local assets, it should only disable
> it for the external domains that you add in the WKAppBoundDomains list if
> limitsNavigationsToAppBoundDomains is not set to true. But for local assets
> it should always work no matter what the value is and users should not need
> to add localhost to the list.
> 
> 
> The sample app is a simple example, but adding WKAppBoundDomains key breaks
> all Ionic Capacitor plugins as they rely on the JavaScript injection

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210707/b3630ca3/attachment.htm>

More information about the webkit-unassigned mailing list