document.cookie non functional in ios 6.0.0/6.1.0

[nickredding]

Bug Report

Using

<preference name="scheme" value="app" />
<preference name="hostname" value="localhost" />

renders document.cookie completely non-functional.

What is expected to happen?

To see this just do

cordova create myApp org.apache.cordova.myApp myApp
cd myApp
(add scheme and hostname preferences to config.xml)
cordova platform add ios@^6.1.0

Now load myApp into the emulator from xcode, then go to the Safari web inspector and try

document.cookie="foo=bar"
document.cookie

Result is empty string.

Removing the scheme and hostname preferences enables document.cookie, but then you don't have the benefit of the scheme.

With ios 5 I used cordova-plugin-wkwebview-file-xhr to enable loading both local and remote urls, and cordova-plugin-wkwebviewxhrfix to enable Javascript trap information to be passed to my code.

With ios 6.1.0 I am still using cordova-plugin-wkwebview-file-xhr (I just removed the dependency on the wkwebview plugin) and this removes the need for the scheme and hostname preferences. However, the scheme and hostname preferences are necessary for Javascript trap information to be passed to my code (other people have commented that cordova-plugin-wkwebviewxhrfix is not compatible with ios 6.0.0).

Command or Code

See above

Environment, Platform, Device

Mac Mini, iPhone 11 xcode simulator

Version information

Cordova 9.0.0, Cordova ios 6.1.0, xcode 11.5

Checklist

• [x] I searched for existing GitHub issues
• [x] I updated all Cordova tooling to most recent version
• [x] I included all the necessary information above

[derMani]

I can confirm this.

document.cookie = 'test'

will be ignored with cordova-ios@6.0.0 or 6.1.0

Additionally, server cookies within the response won't be set.

The last behaviour is most likely related to WKWebview and seems to be some kind of Safari "feature".

Whats also interesting the new release of Safari 13.1 for Mac has the following in release notes:

New Features

• Prevented several potential approaches to circumventing Intelligent Tracking Prevention.
• Added cookie blocking for all cross-site resources by default.

Since then a CORS test that works in all other browsers stopped working on Safari for Mac as well.

Source: https://bugs.webkit.org/show_bug.cgi?id=140205

[iwan-uschka]

Before switching to cordova-ios@6 i used https://github.com/RTK/cordova-cookie-emperor for handling cookies. Just mentioning that this doesn't seem to work anymore.

[drogerie21]

We also used the cookie emperor plugin and can confirm that with cordova 6.1.0 this plugin is not working anymore. We need this really bad. Does anyone has an alternative solution to get cookies?

[nickredding]

Re: cookie emperor. I can't see any reason why this plugin would stop working with iOS 6.1.0. Most likely you are supplying the wrong url or path. Are you setting scheme and hostname? Are you trying to use document.cookie in conjunction with cookie emperor? More information would be useful if you want some suggestions on how to deal with this.

[drogerie21]

Of course, more information: Our app wants to get cookies that are set by a pre-authentication service. So here comes crossdomain into play. Retrieving cookies with the cookie emperor plugin works with cordova 5.1.1 but not with cordova-ios 6.1.1.

[nickredding]

Of course, more information: Our app wants to get cookies that are set by a pre-authentication service. So here comes crossdomain into play. Retrieving cookies with the cookie emperor plugin works with cordova 5.1.1 but not with cordova-ios 6.1.1.

Actually, I am asking for some technical information. --Were you using the WKWebView plugin with iOS 5 or the standard UIWebView? --I assume you are using the wkwebview-file-xhr plugin. If not, are you setting the CORS header from your server to enable cross-origin requests? --Are you setting "secure; samesite=None" when you set cookies on your server and app? --Are you using an external authentication service, and if so is that service setting "secure; samesite=None" for the cookies it sends? --Is you app origin app://localhost or file:// ?

[drogerie21]

Hi,

1) We are using the WKWebView and have been using WKWebView before (through plugin cordova-plugin-ionic-webview) 2) We are using the advanced-http-request plugin (https://github.com/silkimen/cordova-plugin-advanced-http), so no use for wkwebview-file-xhr plugin 3) No. 4) " samesite=None" was not set. But setting it does not change anything. 5) ionic://localhost, we are using the plugin cordova-plugin-ionic-webview

[nickredding]

Hi,

1. We are using the WKWebView and have been using WKWebView before (through plugin cordova-plugin-ionic-webview)
2. We are using the advanced-http-request plugin (https://github.com/silkimen/cordova-plugin-advanced-http), so no use for wkwebview-file-xhr plugin
3. No.
4. " samesite=None" was not set. But setting it does not change anything.
5. ionic://localhost, we are using the plugin cordova-plugin-ionic-webview

I suspect the issue is with the other plugins you mention. I have cookie code very similar to cookie emperor and there is no problem with iOS 6.0.0

[ardabeyazoglu]

the only way cross-site server set cookies work now is to keep "hostname" empty. With the following config, i can send xhr requests to anywhere with cookies working. (I am not using ionic)

<preference name="scheme" value="app" />
<preference name="hostname" value="" />

Using document.cookie still not working though.

[iwan-uschka]

cordova-plugin-wkwebview-file-xhr has been updated to version 3.0.0 on 28th of September. See https://github.com/apache/cordova-ios/issues/883#issuecomment-689646840.

[adamdport]

For those arriving here from google, I'd encourage you to share some votes/contributions/testing to the following:

• Apple's issue: https://bugs.webkit.org/show_bug.cgi?id=213510
• Niklas Merz's plugin, which bypasses WkWebView's native xhr handling: https://github.com/GEDYSIntraWare/cordova-plugin-webview-proxy

[victorvhpg]

please fix these bugs. ios 14 cordova ios 6+ dont store/send cookies we use aws load balance that only use cookies for "sticky session feature" we need cookies to bind a user's session to a specific instance (aws load balance) "sticky session feature"

[dpogue]

I've marked this issue as stale because it's been over a year with no further comments. If this is still an issue in the latest cordova-ios version and an up-to-date iOS version, please let us know. Otherwise, this issue will be closed.

[dpogue]

Closing as stale.

[jwisser-heap]

This remains an issue in both iOS simulator and on-device as of the current version of cordova-ios.