Support for Secure Context

[tafelnl]

I am not sure if this is something that Capacitor is meaning to support, but I think it is missing a Secure Context (https://www.w3.org/TR/secure-contexts/#examples-top-level)

Why is this needed?

Imagine I want to set a Cookie to keep someone logged in. I do not want this Cookie to be accessible from JavaScript, so I'll have to set it from the server side (Cookie flag: HttpOnly;) (OWASP article).

Since the Cookie is being set from a server, the following Cookie flag needs to be set: SameSite=None; For SameSite to be able to have the value None the following Cookie flag needs to be set as well: Secure; (Chromium Blog). But since Capacitor's custom scheme is not considered a Secure Context, one will get the following error in the most recent version of Chrome:

This Set-Cookie has the "Secure" attribute but was not received over a secure connection.

This is not the only things that relies on a secure context. The Contacts plugin for example requires one as well: StackOverflow

Is this something we can make a workaround for, or something Capacitor is planning to support?

[jcesarmobile]

does it work if you set Capacitor scheme to https instead of using a custom scheme?

[tafelnl]

I do not have access to a computer right now. But I am quite sure that that would work, as I have a working version of this concept on a website in production (https).

When I get access to a computer I will test it out. Does it have any drawbacks to use https instead of a custom scheme? And does it work on both iOS and android?

[jcesarmobile]

https will only work on Android

I don't think it has any drawbacks, custom schemes are not really recommended on Android

[Ionitron]

It looks like this issue didn't get the information it needed, so I'll close it for now. If I made a mistake, sorry! I am just a bot.

Have a great day!
Ionitron 💙

[tafelnl]

@jcesarmobile

I am about to test this out. But I cannot find any documentation on how to use https:// Can you point me to it?

[jcesarmobile]

https://capacitorjs.com/docs/reference/config

Search forandroidScheme

[tafelnl]

Okay, so I did a few discoveries.

On Android chrome will accept the url http://localhost as a Secure Context. So as long as your (API/server side) domain has a valid SSL, the following combination of cookie flags should just work: SameSite=None;Secure;HttpOnly;

On iOS however, cookies do not work anyhow (#1373 and #3537). Cookies which will only be handled from the server-side (set through header from the server-side, and only get from server) can be fixed by #3537 (comment). Client-side cookies however do not seem to have a solid workaround for now. I think this is a shame, this is a crucial feature. One workaround would be to use the cookies methods of the (not very well documented) https://github.com/capacitor-community/http.

@jcesarmobile can you maybe tell us anything about the intention of Ionic/Capacitor to tackle this issue?

[ionitron-bot]

Thanks for the issue! This issue is being locked to prevent comments that are not relevant to the original issue. If this is still an issue with the latest version of Capacitor, please create a new issue and ensure the template is fully filled out.