[Webkit-unassigned] [Bug 213510] iOS 14: ITP causes issues for hybrid (WKWebView) apps using cookies for authentication etc.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 3 09:58:37 PST 2021


https://bugs.webkit.org/show_bug.cgi?id=213510

--- Comment #41 from Adam Davenport <adamdport at gmail.com> ---
To respond to the "has anyone got this working" posts, I finally got my Cordova app working! The authentication cookie set by the login response from my remote server now persists for subsequent requests, and even seems to persist in IFrames and the InAppBrowser plugin!

> The App-Bound Domains feature takes steps to preserve user privacy by limiting the domains on which an app can utilize powerful APIs to track users during in-app browsing. Applications that opt-in to this new feature can specify up to 10 “app-bound” domains using a new Info.plist key — WKAppBoundDomains

If you're like me and your app needs to talk to 10 or fewer remotes, you can  add your remote domain to your plist file and opt in using limitsNavigationsToAppBoundDomains.

https://webkit.org/blog/10882/app-bound-domains/

AppBoundDomains only affect iOS14, and don't exist prior, seems to work fine in iOS 13 without them.

You'll also need to configure your remote to enable CORS, including adding the origin defined by the scheme/hostname (eg. app://localhost or foo://mydomain.com) in the cordova config.

This approach won't work for OP (Niklas) since his app doesn't know the domain of the remote at build time. For most of us, however, I think the issue with authentication cookies not persisting can be resolved by setting up AppBoundDomains and CORS.

This does NOT work out of the box, however, and I've created a github issue for Cordova-ios to support AppBoundDomains, since I currently need to both modify my plist and opt in to AppBoundDomains after building cordova. That issue can be tracked here: https://github.com/apache/cordova-ios/issues/1088. 

In addition, you'll need to set withCredentials: true on your XHR requests to enable cookies to be set/sent cross origin!

https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials

Kinda frustrating that this isn't all documented somewhere (cordova docs), but hopefully I've done that here. I hope you guys find this helpful, feel free to share successes/failures/questions to help others. Thanks all.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210303/df1989e9/attachment.htm>


More information about the webkit-unassigned mailing list