Feature Request: Support iOS App Bound Domains to enable CORS authentication cookies

[adamdport]

Feature Request

Intelligent Tracking Prevention (ITP) is designed to block cross origin tracking. It seems like App-Bound Domains are the preferred way to establish communication with a remote server according to Cordova's own @NiklasMerz. I've managed to get my hybrid app working with authentication cookies, even with iframes and InAppBrowser, but only after setting AppBoundDomains in my app's plist and setting LimitsNavigationToAppBoundDomains. The feature request is for these settings to be configurable from Cordova's config.xml. Additionally, appBoundDomains and both scheme and hostname should be configurable via the CLI to aid in build automation to different environments, and the docs should be updated with at least a brief mention of what CORS is and how to configure it on a server.

Motivation Behind Feature

Any app using authentication cookies trying to switch from UIWebView to WKWebView will run into issues where cookies aren't being properly set by the authentication response. There is some confusion coming from @niklasmerz's webkit issue, because Niklas's app cannot configure the domains at buildtime. However, for any app that only needs to communicate with 10 or fewer domains (I'd imagine this is most hybrid apps), App Bound Domains offers a solution:

The App-Bound Domains feature takes steps to preserve user privacy by limiting the domains on which an app can utilize powerful APIs to track users during in-app browsing. Applications that opt-in to this new feature can specify up to 10 “app-bound” domains

I've managed to get my hybrid app working using AppBoundDomains, but it involves manually tweaking the XCode project generated by cordova after a build, which is not ideal.

Feature Description

If config.xml contains any appBoundDomains, add those to the plist generated during the ios build, and set configuration.limitsNaviationsToAppBoundDomains = YES in CDVWebViewEngine.m.

Alternatives or Workarounds

There are efforts to bypass CORS restrictions altogether using a webview proxy but this doesn't currently seem to work with iframes or inappbrowser. There's also a request for comment in another github issue, but that issue is closed, so I'm tagging it here: #922 (comment). It should also be noted that this only seems to be needed for iOS14, since AppBoundDomains don't exist prior to that, and the app seems to work fine without it.

[adamdport]

I don't understand what changed, but my app is now working without requiring AppBoundDomains, so please take this feature request with a grain of salt. If you've arrived here and have an app running on cordova-ios@6 and have functional cross-origin cookies working with or without App Bound Domains, please leave a comment. Thanks.

[NiklasMerz]

@adamdport Did you update iOS (beta) or Xcode? I am just wondering if Apple changed something.

[adamdport]

No. MacOS Catalina 10.15.7, iOS 14.4, Xcode 12.4. I had uninstall/reinstall both my cordova plugins and platforms to resolve an InAppBrowser issue. I didn't re-add the AppBoundDomains to my plist or add the LimitsNavigation code to the project, but yet my cookies seem to be syncing appropriately now. It's "nice" that I don't have to tweak the build for each environment anymore, but also terrifying that it suddenly started working. But I suppose if hostname matches the domain of my server, then it's supposed to work without opting into LimitsNavigationToAppBoundDomains right?

[victorvhpg]

please fix these bugs.
ios 14 cordova ios 6+ dont store/send cookies
we use aws load balance that only use cookies for "sticky session feature"
we need cookies to bind a user's session to a specific instance (aws load balance) "sticky session feature"

[victorvhpg]

@adamdport any update?

[adamdport]

Nothing more than I've said. Did you set the hostname in cordova's config.xml so that it matches the domain of your backend, and set withCredentials:true on your XHR requests? (accidentally clicked the "close" button, sorry)

[tymcdowell]

@adamdport My app uses the cordova-plugin-ionic-webview and, until xcode 12, all was good. My app does authentication with a 3rd party and now the cookie will not stick. I've changed the app to use App Bound Domains, but now I get an error on startup in the web console. It seems to be complaining about my index.html not being part of the domain list. Can you share how you whitelisted the main index file?

[adamdport]

@tymcdowell App Bound Domains don't restrict past the domain level. In other words, you can't whitelist index.html–you can only whitelist the domain that index.html is hosted under (eg. yourdomain.com if your app is served from ionic://yourdomain.com, looks like this is configured under the hostname preference according to the ionic docs). These domains are added in your app's plist as documented here: https://webkit.org/blog/10882/app-bound-domains/

<plist version="1.0">
<dict>
<key>WKAppBoundDomains</key>
<array>
    <string>example1.com</string>
    <string>example2.org</string>
    ...
</array>
</dict>

But to be clear I don't use Ionic so I can't say for sure whether it's working there.

[tymcdowell]

My app isn't ionic either, but the plugin resolved some early issues with the transition from UIWebView to WKWebView. I did put the hostname I set for the app in the WKAppBoundDomains and it complains about the root index file which I assume would report running under that domain. Is your app a Cordova app? You don't use this plugin? I have no issue running against my own domain, it is just when I go outside of it, I experience issues with the cookies.

[adamdport]

My app is a cordova app, and no I don't use the plugin. As of 6.0.0 cordova-ios supports wkwebview without any plugins.

I have no issue running against my own domain, it is just when I go outside of it, I experience issues with the cookies

Are you saying cookies are working for one domain? If so, that's all I've been able to get working. My app only requires authentication with one backend. I was unsuccessful when I tried to authenticate to a different domain than my app was using. That is, if my app was hosted from app://domain1.com, it wouldn't persist cookies from domain2.com despite both being listed as app bound domains. I could only make it work if they matched. You could try the webview proxy plugin, I think the entire purpose of that plugin was to allow connecting with multiple domains.

[tymcdowell]

Yes, as you mentioned, you can now set your domain in your app using either the ionic-wkwebview plugin or by using cordova-ios@6+. The latter has the wkwebview support built in as the default web view. Using WkWebView without the App Bound Domains works just fine as long as we're going against the domain defined as Hostname in config.xml. Our problem is embedding an iframe in the app for a third party vendor. HTML shows fine, but the cookie isn't stored once the user logs in via the iframe. My hope was that App Bound Domains would allow me to give iOS a list of domains that we need cookies for. The minute I turned on the app bound domains, it wouldn't go past loading Javascript in the app's index file. It appears to me that the Cordova support for WkWebView is good, but it doesn't support having the App Bound Domains in addition to it. That is why I asked how you had managed to get App Bound Domains in a Cordova app to work.

Honestly, I was curious to see someone using the Cordova WkWebView along with App Bound Domains and I cannot find that online. If you are using both and it is working, I would love to get more info.

[tymcdowell]

@adamdport I now understand your comment above - "I don't understand what changed, but my app is now working without requiring AppBoundDomains, so please take this feature request with a grain of salt. If you've arrived here and have an app running on cordova-ios@6 and have functional cross-origin cookies working with or without App Bound Domains, please leave a comment. Thanks."

It isn't the app bound domains that fixed it. It is the support for a custom domain name in cordova-ios@6+ allowing an app to identify as being served by X domain.

[cparki3]

Has there been any update on this? Has anyone been able to get this working with the webview proxy plugin? We are using ionic and we have a few domains we need to be able to access cookies from. Similar to @tymcdowell we have our store pages integrated in our app with iframes. Configuring the main wkwebview and adding the App Bound Domains does not work. The only thing that has worked so far is adding the "NSCrossWebsiteTrackingUsageDescription" to our plist which enables the manual settings toggle for our users. It's a terrible user experience though and we need an alternative.

[CWBudde]

While there are a few other workarounds for the problem (one domain only approach, wkwebview proxy, adding NSCrossWebsiteTrackingUsageDescription), I think it's still necessary to get access to this setting. This said, it's probably not just adding a few values to the plist file, but also accessing the limitsNaviationsToAppBoundDomains configuration.

With PR #1050 a pull request is already available to solve the configuration problem. So now, only a way to add values to the WKAppBoundDomains array within the plist file remains missing, I think.

Maybe something like

<preference name="AppBoundDomains">
	<param value="example1.com"/>
	<param value="example2.org"/>
</preference>

could be used. I won't be perfect, but at least it's possible to access this feature.

[swcha-here]

We have a cordova ios app that requires user to login via an authentication service which sets some cookies that are used later for authentication and usage of certain services. Once user is logged in, user has the ability to navigate to pages within the same domain as well as to pages that host content from a different domain via the iframe tag. And before the content is loaded into the iframe user has to be authenticated again with the same service provider that set the cookies when user first logged into the app. We are using cordova-plugin-custom-url-scheme so the the http request url for inappbrowser pages is in the format ://app. When user clicks on a link within our app a request is made to the external page and the content returned is displayed within the iframe but before this happens user has to be authenticated silently through cookies that were set earlier during the initial login to the app. This workflow was working fine prior to iOS 14+ but not working any more. Since the domain from which pages are loaded in the iframe is different from the domain that hosts the iframes(i.e. 'app' in this case) ITP goes into effect and prevents access to authentication cookies that were set outside the parent page hosting the iframe. I'm looking for a workaround so the page hosted within the iframe from another domain has access to the cookies set in the parent context and user is automatically logged in silently and content gets displayed within the iframe. I think App Bound Domains seemed to have worked well for some people to overcome ITP issues. So I added these entries in info.plist file.

<key>WKAppBoundDomains</key>
    <array>
        <string>app</string>
       <string>**XYZ.com( domain of page hosted within the iframe)**</string>
    </array>

I have also added the code snippet below to the method createConfigurationFromSettings in the file CDVWebViewEngine.m

  if(@available(iOS 14.0, *)) {
        configuration.limitsNavigationsToAppBoundDomains=true;
    }

But I'm still having the same issue of an error being displayed when user clicks on the link that opens up the page with an iframe hosting content from a web page from a different domain. The authentication step prior to navigating to iframe url fails most likely as authentication cookies set earlier are no longer accessible within the iframe. Can someone who has had a similar problem and who were able to solve this problem please let me know whats missing?