QingAn
commented
2 years ago As discussed in 2022-05-25 meeting, we need to firstly discuss the origin issue for the WebView, which is in #7
Closed NiklasMerz closed 2 years ago
QingAn
commented
2 years ago As discussed in 2022-05-25 meeting, we need to firstly discuss the origin issue for the WebView, which is in #7
NiklasMerz
commented
2 years ago This consist of two parts basically. Part one is exactly issue #7 about the origin for content. Part two is about using cookies within the context of locally hosted web content. SameSite, tracking prevention, app bound domains etc come in place there. But we should focus on #7 first and put this in the backlog as this issue might very specific.
QingAn
commented
2 years ago As discussed in 2022-07-06 meeting, we focus on #7 and close this issue
Use case name
Third party cookies and cross origin ressource sharing in webviews
Submitter(s)
Niklas Merz
Motivation
I worked many years on an hybrid mobile application which uses a webview to show local web content but needs cookie authentication to communicate with a backend server. There are many apps like this built with frameworks like Apache Cordova or Capacitor for the mobile platforms. App developers commonly face challenges implementing CORS or third party cookies.
Local content usually gets served from the
file:protocol but this origin has gotten more restrictive in the last few years. More standardized APIs could make app developers lifes easier.This is strongly related to the question What is an origin?.
Stakeholders
Browser vendors & webview providers: Apple, Google
End user: Easier implementation of common usescases and less workarounds
Analysis
APIs for special origins: WebViewAssetLoader, WKURLSchemeHandler
APIs provided by Android and iOS allow app or framework developers some customization of the origin of local web content. The capabilities on both platforms differ a lot and force developers to find compromises and workarounds. For example iOS allows you to use a custom scheme but Android does only allow using http or https but iOS prohibits that.
SameSite, Intelligent Tracking Prevention (ITP), AppBoundDomains
Privacy related cookie blocking features can lead to blocked authentication cookies. For example iOS' webview WKWebView started blocking third party cookies. For apps using a local origin and XHR or fetch requests to backend servers this can be very problematic.
iOS introduced AppBoundDomains to create kind of an allow list for domains set at buildtime. If apps could add domains at runtime and more webviews (Android) would support it, this could benefit app developers.
Related W3C deliverables and/or work items
How is the issue solved in the Browser, and what’s more is needed?
Browsers increasingly block third party cookies to protect the users privacy. Webviews are sometimes used differently because they can serve web content from within the application. In this case they could get more freedom to communicate with other sites (CORS).