New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Support iOS App Bound Domains to enable CORS authentication cookies #1088
Comments
I don't understand what changed, but my app is now working without requiring AppBoundDomains, so please take this feature request with a grain of salt. If you've arrived here and have an app running on |
@adamdport Did you update iOS (beta) or Xcode? I am just wondering if Apple changed something. |
No. MacOS Catalina 10.15.7, iOS 14.4, Xcode 12.4. I had uninstall/reinstall both my cordova plugins and platforms to resolve an InAppBrowser issue. I didn't re-add the AppBoundDomains to my plist or add the LimitsNavigation code to the project, but yet my cookies seem to be syncing appropriately now. It's "nice" that I don't have to tweak the build for each environment anymore, but also terrifying that it suddenly started working. But I suppose if |
please fix these bugs. |
@adamdport any update? |
Nothing more than I've said. Did you set the |
@adamdport My app uses the cordova-plugin-ionic-webview and, until xcode 12, all was good. My app does authentication with a 3rd party and now the cookie will not stick. I've changed the app to use App Bound Domains, but now I get an error on startup in the web console. It seems to be complaining about my index.html not being part of the domain list. Can you share how you whitelisted the main index file? |
@tymcdowell App Bound Domains don't restrict past the domain level. In other words, you can't whitelist index.html–you can only whitelist the domain that index.html is hosted under (eg. yourdomain.com if your app is served from ionic://yourdomain.com, looks like this is configured under the
But to be clear I don't use Ionic so I can't say for sure whether it's working there. |
My app isn't ionic either, but the plugin resolved some early issues with the transition from UIWebView to WKWebView. I did put the hostname I set for the app in the WKAppBoundDomains and it complains about the root index file which I assume would report running under that domain. Is your app a Cordova app? You don't use this plugin? I have no issue running against my own domain, it is just when I go outside of it, I experience issues with the cookies. |
My app is a cordova app, and no I don't use the plugin. As of 6.0.0 cordova-ios supports wkwebview without any plugins.
Are you saying cookies are working for one domain? If so, that's all I've been able to get working. My app only requires authentication with one backend. I was unsuccessful when I tried to authenticate to a different domain than my app was using. That is, if my app was hosted from app://domain1.com, it wouldn't persist cookies from domain2.com despite both being listed as app bound domains. I could only make it work if they matched. You could try the webview proxy plugin, I think the entire purpose of that plugin was to allow connecting with multiple domains. |
Yes, as you mentioned, you can now set your domain in your app using either the ionic-wkwebview plugin or by using cordova-ios@6+. The latter has the wkwebview support built in as the default web view. Using WkWebView without the App Bound Domains works just fine as long as we're going against the domain defined as Hostname in config.xml. Our problem is embedding an iframe in the app for a third party vendor. HTML shows fine, but the cookie isn't stored once the user logs in via the iframe. My hope was that App Bound Domains would allow me to give iOS a list of domains that we need cookies for. The minute I turned on the app bound domains, it wouldn't go past loading Javascript in the app's index file. It appears to me that the Cordova support for WkWebView is good, but it doesn't support having the App Bound Domains in addition to it. That is why I asked how you had managed to get App Bound Domains in a Cordova app to work. Honestly, I was curious to see someone using the Cordova WkWebView along with App Bound Domains and I cannot find that online. If you are using both and it is working, I would love to get more info. |
@adamdport I now understand your comment above - "I don't understand what changed, but my app is now working without requiring AppBoundDomains, so please take this feature request with a grain of salt. If you've arrived here and have an app running on cordova-ios@6 and have functional cross-origin cookies working with or without App Bound Domains, please leave a comment. Thanks." It isn't the app bound domains that fixed it. It is the support for a custom domain name in cordova-ios@6+ allowing an app to identify as being served by X domain. |
Has there been any update on this? Has anyone been able to get this working with the webview proxy plugin? We are using ionic and we have a few domains we need to be able to access cookies from. Similar to @tymcdowell we have our store pages integrated in our app with iframes. Configuring the main wkwebview and adding the App Bound Domains does not work. The only thing that has worked so far is adding the "NSCrossWebsiteTrackingUsageDescription" to our plist which enables the manual settings toggle for our users. It's a terrible user experience though and we need an alternative. |
While there are a few other workarounds for the problem (one domain only approach, wkwebview proxy, adding NSCrossWebsiteTrackingUsageDescription), I think it's still necessary to get access to this setting. This said, it's probably not just adding a few values to the plist file, but also accessing the With PR #1050 a pull request is already available to solve the configuration problem. So now, only a way to add values to the WKAppBoundDomains array within the plist file remains missing, I think. Maybe something like
could be used. I won't be perfect, but at least it's possible to access this feature. |
We have a cordova ios app that requires user to login via an authentication service which sets some cookies that are used later for authentication and usage of certain services. Once user is logged in, user has the ability to navigate to pages within the same domain as well as to pages that host content from a different domain via the iframe tag. And before the content is loaded into the iframe user has to be authenticated again with the same service provider that set the cookies when user first logged into the app. We are using cordova-plugin-custom-url-scheme so the the http request url for inappbrowser pages is in the format ://app. When user clicks on a link within our app a request is made to the external page and the content returned is displayed within the iframe but before this happens user has to be authenticated silently through cookies that were set earlier during the initial login to the app. This workflow was working fine prior to iOS 14+ but not working any more. Since the domain from which pages are loaded in the iframe is different from the domain that hosts the iframes(i.e. 'app' in this case) ITP goes into effect and prevents access to authentication cookies that were set outside the parent page hosting the iframe. I'm looking for a workaround so the page hosted within the iframe from another domain has access to the cookies set in the parent context and user is automatically logged in silently and content gets displayed within the iframe. I think App Bound Domains seemed to have worked well for some people to overcome ITP issues. So I added these entries in info.plist file.
I have also added the code snippet below to the method createConfigurationFromSettings in the file CDVWebViewEngine.m
But I'm still having the same issue of an error being displayed when user clicks on the link that opens up the page with an iframe hosting content from a web page from a different domain. The authentication step prior to navigating to iframe url fails most likely as authentication cookies set earlier are no longer accessible within the iframe. Can someone who has had a similar problem and who were able to solve this problem please let me know whats missing? |
Feature Request
Intelligent Tracking Prevention (ITP) is designed to block cross origin tracking. It seems like App-Bound Domains are the preferred way to establish communication with a remote server according to Cordova's own @NiklasMerz. I've managed to get my hybrid app working with authentication cookies, even with iframes and InAppBrowser, but only after setting AppBoundDomains in my app's plist and setting
LimitsNavigationToAppBoundDomains
. The feature request is for these settings to be configurable from Cordova'sconfig.xml
. Additionally, appBoundDomains and bothscheme
andhostname
should be configurable via the CLI to aid in build automation to different environments, and the docs should be updated with at least a brief mention of what CORS is and how to configure it on a server.Motivation Behind Feature
Any app using authentication cookies trying to switch from UIWebView to WKWebView will run into issues where cookies aren't being properly set by the authentication response. There is some confusion coming from @niklasmerz's webkit issue, because Niklas's app cannot configure the domains at buildtime. However, for any app that only needs to communicate with 10 or fewer domains (I'd imagine this is most hybrid apps), App Bound Domains offers a solution:
I've managed to get my hybrid app working using AppBoundDomains, but it involves manually tweaking the XCode project generated by cordova after a build, which is not ideal.
Feature Description
If
config.xml
contains any appBoundDomains, add those to the plist generated during the ios build, and setconfiguration.limitsNaviationsToAppBoundDomains = YES
inCDVWebViewEngine.m
.Alternatives or Workarounds
There are efforts to bypass CORS restrictions altogether using a webview proxy but this doesn't currently seem to work with iframes or inappbrowser. There's also a request for comment in another github issue, but that issue is closed, so I'm tagging it here: #922 (comment). It should also be noted that this only seems to be needed for iOS14, since AppBoundDomains don't exist prior to that, and the app seems to work fine without it.
The text was updated successfully, but these errors were encountered: