Lockdown Mode on Apple devices blocks access to the DB API

[EISSeuropa]

When accessing the web page from an iOS or MacOS device on Lockdown Mode, the following error displays:

IndexedDB API missing. Please visit Dexie.MissingAPIError

This is to be expected, considering it's the purpose of Lockdown to prevent unwanted code execution and file access.
Disabling Lockdown either system-wide or for that website exclusively allows the page to work again.

Tested on iOS 17.1 and MacOS 14.4.1, with both Safari (19618.1.15.11.14) and Safari Tech Preview Release 191 (Safari 17.4, WebKit 19619.1.6.3).

Impact: High (webpage unusable under these circumstances),
Likelihood: Low (Lockdown Mode is an extreme security measure mostly used by the infosec community and potential target profiles only)
Overall severity: Minor (can easily be circumvented by disabling Lockdown)

Action recommended: Document the issue and make not having Lockdown Mode activated a requirement for using the pwa.

[ThiefMaster]

Maybe showing a warning in the app that lockdown mode needs to be disabled would be the best option? Is there a reliable way to detect this?

[EISSeuropa]

There are ways to detect LM, which is not great privacy-wise actually.
But maybe it would be better to detect and warn that the affected web feature is disabled. Which one exactly, I'm not sure, maybe several:

EDIT: Source: https://blacktop.github.io/presentations/0x41con_2023/HTML/index.html#0

[tomasr8]

Agreed, if we can detect the specific dexie error, we should show a warning in the app

[EISSeuropa]

It is also highly likely that people that would be affected would be aware of the issue. People that use LM are either tech-savvy or sensitised to the usability issues of activating LM. It's a niche demographic.