[Webkit-unassigned] [Bug 227175] New: FR: Dynamic use of app-bound domains

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Jun 19 02:32:37 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=227175

            Bug ID: 227175
           Summary: FR: Dynamic use of app-bound domains
           Product: WebKit
           Version: Other
          Hardware: iPhone / iPad
                OS: iOS 14
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: niklasmerz at apache.org

Recently I had a great chat at a WWDC WebKit lab about app-bound domains and our special use case. 

I have an app where the user enters the domain/URL to a server the app should connect to. The server could be a dedicated backend server installed at the customers site. The employees of the customer download the app from the App Store and enter the URL given to them by their administrators. The app now connects only to this particular server.

I now want to use app-bound domains for this use case, too. Right now I can set up to 10 app-bound at build time. This does not help for my kind of app because the domains need to be set at runtime and some apps, like enterprise apps with on-premise servers, might not know them at this point. 

What if WebKit would offer an API (possibly with a system prompt, setting etc.) to set an app-bound domain as soon the app gets the domain it needs to connect to by the user? Having this one domain the app connects to exclusively as an app-bound domain would offer benefits, like no ITP issues, security measures etc.

I really like the idea of a "trusted domain" which get's more freedom for WKWebView apps and offers privacy and security for users. The app should only connect to the domain given by the user.

Apps that are not web browser but use WKWebView to display content from local web files (Cordova, Capacitor etc.) have many stumbling blocks because of weird CORS and ITP behaviors right now. For these apps slightly less strict CORS restrictions with custom schemes could possibly help many developers, too.

I would love to talk more about this and discuss ideas to make lives easier for developers using WebKit in apps like this.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210619/28eeb627/attachment.htm>

More information about the webkit-unassigned mailing list