Hi,
I desperately need this for the non-profit WeVote Voter Guide app
<https://wevote.us/welcome>. Please add your change to cordova IOS, it
seems like a core feature for IOS 14 to me.
Thanks,
Steve Podell
We Vote
On 10/7/20 8:18 AM, Niklas Merz wrote:
Hi everyone
As some of you know I spent a lot of time working with CORS and Intelligent
Tracking Prevention (ITP) issues in WKWebView on cordova-ios. I would like to
discuss if it would make sense to include something, I built to make an app
work around CORS and cookie limitations, into the iOS platform.
I am not sure if this should be in the platform or possibly better a (third)
party plugin. Building it as a plugin would be tricky and not as nice as
integrated into the platform. So let's discuss.
A little background: Last year with iOS 13 I finally got to switch to
WKWebView. As many users I decided to use Ionics WKWebView plugin, because it
uses the WKWUrlSchemeHandler which lets the app run on a custom scheme like
app://myapp. This provides benefits for CORS issues etc. Now about a year later
the WKUrlSchemeHandler is part of cordova-ios, too and I could switch back to
Cordovas own WKWebView implementation. The custom scheme still does not solve
all CORS related issues like talking to server I do not control and that don't
have the CORS related headers. After discussing this with some people (huge
thanks to jcesarmobile and erisu) I extended the WKUrlSchemeHandler in the
webview plugin to take requests to all URLs, do an HTTP request in native code,
sync the cookie store and return the response. This way I can do normal fetch
requests to the schemehandlers URL in JavaScript and get the response from the
native code in Cordova without any CORS or third party cookie restrictions.
Fast forward to today and iOS 14. WKWebView in iOS 14 started to block cookies
to all third party requests by default. This means that even requests like
authorization requests with a proper CORS setup won't work as expected. Using
my workaround we can still do authentication requests with cookies to our
server and use fetch, embedded images etc like expected. We just have to add a
prefix to the URLs. Some background in this Webkit Bug:
https://bugs.webkit.org/show_bug.cgi?id=213510
I hope this long story explains why it is like it is and why it's useful :-)
So this thing I just called "the proxy" solves a number of CORS, cookie/ITP
related issues. I finally got around to integrate it into the iOS platform and did the
PR: https://github.com/apache/cordova-ios/pull/1004
I appreciate any code reviews/comments on the PR. Do we have any reasons to not
include it into the platform? Any security or privacy concerns? Let me know.
I might try to do it as a plugin, but then I would have to figure out how to
change the schemehandler and set it at runtime in the plugins scope?
Kind regards
Niklas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org
