Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add LimitsNavigationsToAppBoundDomains configuration key #1249

Merged
merged 3 commits into from Jun 8, 2023
Merged

feat: Add LimitsNavigationsToAppBoundDomains configuration key #1249

merged 3 commits into from Jun 8, 2023

Conversation

gazben
Copy link
Contributor

@gazben gazben commented Aug 26, 2022
edited

Platforms affected

IOS

Motivation and Context

Currently there is no option to set the limitsNavigationsToAppBoundDomains attribute from the config.xml. If you want to use cookie authentication or browser APIs you want to set this to YES.

Official documentation: https://webkit.org/blog/10882/app-bound-domains/

Description

This changeset is copied from this tutorial: https://www.ryseapp.io/blog/engineering/step-by-step-guide-to-setup-and-configure-cordova-for-ios-and-android-to-load-a-hosted-react-app

Testing

Tested on multiple simulator instances and and physical hardware. Without it the cookie authentication for a single domain will not work. After I add this change the authentication works.

Checklist

  • I've run the tests to see all new and existing tests pass
  • I added automated test coverage as appropriate for this change
  • Commit is prefixed with (platform) if this change only applies to one platform (e.g. (android))
  • If this Pull Request resolves an issue, I linked to the issue in the text above (and used the correct keyword to close issues using keywords)
  • I've updated the documentation if necessary

@gazben
Copy link
Contributor Author

gazben commented Aug 26, 2022

I don't know how can I write a test for this honestly.

@dpogue dpogue linked an issue Aug 26, 2022 that may be closed by this pull request
Feature Request: Support iOS App Bound Domains to enable CORS authentication cookies #1088
Closed
@dpogue
Copy link
Member

dpogue commented Aug 26, 2022

Thanks for the pull request! You probably want to target this to the master branch though.

I think app-bound domains are definitely something we want to support in cordova-ios, particularly because it will enable easier access to a bunch of APIs, as you mentioned.

However, I think for this to work, it will also need to populate the WKAppBoundDomains array in the application's Info.plist file with a list of domains. The blog post you linked is using config-file directives in config.xml to inject the domains they want into the WKAppBoundDomains list, but it probably makes sense to try to automatically populate that from a combination of the hostname value, access tags, and allow-navigation tags. I believe any communication with domains not listed will be blocked.

@codecov-commenter
Copy link

codecov-commenter commented Aug 26, 2022
edited

Codecov Report

Merging #1249 (aac88bc) into master (4efd400) will increase coverage by 3.73%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #1249      +/-   ##
==========================================
+ Coverage   74.88%   78.62%   +3.73%     
==========================================
  Files          13       15       +2     
  Lines        1724     1773      +49     
==========================================
+ Hits         1291     1394     +103     
+ Misses        433      379      -54

see 28 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@gazben
Copy link
Contributor Author

gazben commented Aug 29, 2022
edited

You can only list 10 WKAppBoundDomains in your config file. I think if we automatically merge the hostname, allow-navigation etc... We can hit this limit pretty quickly, and I don't know what should we do if we hot this limit.

You are right navigating to a not set domain will trigger an error:

Setting this flag indicates to WebKit that a WKWebView will only navigate to app-bound domains. Once set, any attempt to navigate away from an app-bound domain will fail with the error: “App-bound domain failure.”

I can create a separete merge request for the master but I think it would be better to just provide this option to users so they don't have to resort to manual patching or forking the project. This flag is an optional thing even for native projects.

@bryan-hunter
Copy link

Platforms affected

IOS

Motivation and Context

Currently there is no option to set the limitsNavigationsToAppBoundDomains attribute from the config.xml. If you want to use cookie authentication or browser APIs you want to set this to YES.

Official documentation: https://webkit.org/blog/10882/app-bound-domains/

Description

This changeset is copied from this tutorial: https://www.ryseapp.io/blog/engineering/step-by-step-guide-to-setup-and-configure-cordova-for-ios-and-android-to-load-a-hosted-react-app

Testing

Tested on multiple simulator instances and and physical hardware. Without it the cookie authentication for a single domain will not work. After I add this change the authentication works.

Checklist

  • I've run the tests to see all new and existing tests pass
  • I added automated test coverage as appropriate for this change
  • Commit is prefixed with (platform) if this change only applies to one platform (e.g. (android))
  • If this Pull Request resolves an issue, I linked to the issue in the text above (and used the correct keyword to close issues using keywords)
  • I've updated the documentation if necessary

Thanks for adding this @gazben ! I'm not sure why I didn't contribute this back here and just put it in the blog post, but you're being a better open source contributor than me :)

@gazben
Copy link
Contributor Author

gazben commented Apr 19, 2023

@ochakov Can you merge this, or who should I contact?

@ochakov
Copy link

ochakov commented Apr 19, 2023

@ochakov Can you merge this, or who should I contact?

I don't have merge permissions, I know @breautek can merge and some others. Would be really helpful if they do!

@dpogue dpogue mentioned this pull request May 17, 2023
Closed
5 tasks
@dpogue dpogue changed the base branch from 6.2.x to master May 17, 2023 13:34
@dpogue dpogue added this to the 7.0.0 milestone May 17, 2023
erisu
erisu reviewed Jun 6, 2023
View reviewed changes
CordovaLib/cordova.js Outdated Show resolved Hide resolved
@gazben @erisu
Revert CordovaLib/cordova.js
aac88bc 
Co-authored-by: エリス <erisu@users.noreply.github.com>
@gazben
Copy link
Contributor Author

gazben commented Jun 8, 2023

Sorry, reverted.

@erisu erisu changed the title (ios) Add LimitsNavigationsToAppBoundDomains configuration key feat: Add LimitsNavigationsToAppBoundDomains configuration key Jun 8, 2023
dpogue
dpogue approved these changes Jun 8, 2023
View reviewed changes
Copy link
Member

@dpogue dpogue left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me as a stepping stone to exploring the full potential app-bound domains.

For now, this will allow people to turn on app-bound domains, and they can use edit-config in config.xml to add domains to their Info.plist file. In the future we can explore whether it makes sense to automatically populate app-bound domains from access/allow-navigation/allow-intent tags, but I don't think we have enough information about the exact behaviour of app-bound domains to make that call yet.

@gazben
Copy link
Contributor Author

gazben commented Jun 8, 2023

As an FYI I've been using this change in production for half a year now (~2k users) no problems reported yet. My comment still stands from earlier, that I don't think that the automatic population is feasible because of the heavy size limitation.

@bryan-hunter
Copy link

As an FYI I've been using this change in production for half a year now (~2k users) no problems reported yet. My comment still stands from earlier, that I don't think that the automatic population is feasible because of the heavy size limitation.

Same here 👍

@dpogue dpogue merged commit c43a159 into apache:master Jun 8, 2023
9 checks passed
@dpogue
Copy link
Member

dpogue commented Jun 8, 2023

Thanks @gazben for the contribution! 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dpogue dpogue dpogue approved these changes

@erisu erisu erisu approved these changes

@ochakov ochakov ochakov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
7.0.0
Development

Successfully merging this pull request may close these issues.

Feature Request: Support iOS App Bound Domains to enable CORS authentication cookies
7 participants
@gazben @dpogue @codecov-commenter @bryan-hunter @ochakov @erisu @NiklasMerz