Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Third party cookies and cross origin ressource sharing in webviews #15

Closed
NiklasMerz opened this issue May 25, 2022 · 3 comments
Closed

Third party cookies and cross origin ressource sharing in webviews #15

NiklasMerz opened this issue May 25, 2022 · 3 comments
Labels
Agenda+ use case

Comments

@NiklasMerz
Copy link
Member

NiklasMerz commented May 25, 2022
edited
Loading

Use case name

Third party cookies and cross origin ressource sharing in webviews

Submitter(s)

Niklas Merz

Motivation

I worked many years on an hybrid mobile application which uses a webview to show local web content but needs cookie authentication to communicate with a backend server.
There are many apps like this built with frameworks like Apache Cordova or Capacitor for the mobile platforms. App developers commonly face challenges implementing CORS or third party cookies.

Local content usually gets served from the file: protocol but this origin has gotten more restrictive in the last few years. More standardized APIs could make app developers lifes easier.

This is strongly related to the question What is an origin?.

Stakeholders

Browser vendors & webview providers: Apple, Google

End user: Easier implementation of common usescases and less workarounds

Analysis

APIs for special origins: WebViewAssetLoader, WKURLSchemeHandler

APIs provided by Android and iOS allow app or framework developers some customization of the origin of local web content. The capabilities on both platforms differ a lot and force developers to find compromises and workarounds. For example iOS allows you to use a custom scheme but Android does only allow using http or https but iOS prohibits that.

SameSite, Intelligent Tracking Prevention (ITP), AppBoundDomains

Privacy related cookie blocking features can lead to blocked authentication cookies. For example iOS' webview WKWebView started blocking third party cookies. For apps using a local origin and XHR or fetch requests to backend servers this can be very problematic.

iOS introduced AppBoundDomains to create kind of an allow list for domains set at buildtime. If apps could add domains at runtime and more webviews (Android) would support it, this could benefit app developers.

Related W3C deliverables and/or work items

How is the issue solved in the Browser, and what’s more is needed?

Browsers increasingly block third party cookies to protect the users privacy. Webviews are sometimes used differently because they can serve web content from within the application.
In this case they could get more freedom to communicate with other sites (CORS).
@QingAn
Copy link
Contributor

QingAn commented Jun 7, 2022

As discussed in 2022-05-25 meeting, we need to firstly discuss the origin issue for the WebView, which is in #7

@NiklasMerz
Copy link
Member Author

This consist of two parts basically. Part one is exactly issue #7 about the origin for content. Part two is about using cookies within the context of locally hosted web content. SameSite, tracking prevention, app bound domains etc come in place there. But we should focus on #7 first and put this in the backlog as this issue might very specific.

@QingAn QingAn added the Agenda+ label Jun 15, 2022
@QingAn
Copy link
Contributor

QingAn commented Jul 7, 2022

As discussed in 2022-07-06 meeting, we focus on #7 and close this issue

@QingAn QingAn closed this as completed Jul 7, 2022
@muodov muodov mentioned this issue Aug 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Agenda+ use case
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NiklasMerz @QingAn