Hi everyone As some of you know I spent a lot of time working with CORS and Intelligent Tracking Prevention (ITP) issues in WKWebView on cordova-ios. I would like to discuss if it would make sense to include something, I built to make an app work around CORS and cookie limitations, into the iOS platform.
I am not sure if this should be in the platform or possibly better a (third) party plugin. Building it as a plugin would be tricky and not as nice as integrated into the platform. So let's discuss. A little background: Last year with iOS 13 I finally got to switch to WKWebView. As many users I decided to use Ionics WKWebView plugin, because it uses the WKWUrlSchemeHandler which lets the app run on a custom scheme like app://myapp. This provides benefits for CORS issues etc. Now about a year later the WKUrlSchemeHandler is part of cordova-ios, too and I could switch back to Cordovas own WKWebView implementation. The custom scheme still does not solve all CORS related issues like talking to server I do not control and that don't have the CORS related headers. After discussing this with some people (huge thanks to jcesarmobile and erisu) I extended the WKUrlSchemeHandler in the webview plugin to take requests to all URLs, do an HTTP request in native code, sync the cookie store and return the response. This way I can do normal fetch requests to the schemehandlers URL in JavaScript and get the response from the native code in Cordova without any CORS or third party cookie restrictions. Fast forward to today and iOS 14. WKWebView in iOS 14 started to block cookies to all third party requests by default. This means that even requests like authorization requests with a proper CORS setup won't work as expected. Using my workaround we can still do authentication requests with cookies to our server and use fetch, embedded images etc like expected. We just have to add a prefix to the URLs. Some background in this Webkit Bug: https://bugs.webkit.org/show_bug.cgi?id=213510 I hope this long story explains why it is like it is and why it's useful :-) So this thing I just called "the proxy" solves a number of CORS, cookie/ITP related issues. I finally got around to integrate it into the iOS platform and did the PR: https://github.com/apache/cordova-ios/pull/1004 I appreciate any code reviews/comments on the PR. Do we have any reasons to not include it into the platform? Any security or privacy concerns? Let me know. I might try to do it as a plugin, but then I would have to figure out how to change the schemehandler and set it at runtime in the plugins scope? Kind regards Niklas --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
