cordova ios not injecting referrerpolicy into iframe url calls about cordova-ios HOT 6 OPEN

origin request header is part of the CORS protocol. The CORS spec leaves it up to the user agent to add it to request headers or not, the only requirement is that the header must be sent if the user agent is making a "CORS" request, and the WKWebView does just that.

As for the Referrer-Policy, there's a open feature request for wkwebview to support it, so I'm guessing that's not something WKWebView actually supports?

from cordova-ios.

@breautek I am a bit confused by your response. Could you clarify please? Are you saying the WKWebView does send the header if the browser is making a CORS request...so I am interpreting this to mean that an iFrame is not making a CORS request? Is there any method to get the iFrame to send origin or referrer then? If WKWebView doesn't support referrerpolicy directly in the iframe element then I am assuming there is no method to get an iframe to send origin or referrer....true?

from cordova-ios.

Could you clarify please? Are you saying the WKWebView does send the header if the browser is making a CORS request...so I am interpreting this to mean that an iFrame is not making a CORS request?

You're understanding is correct, but honestly iframe sometimes have behaviour than other kinds of request, so with iframes specifically I don't know how that is handled. But generally speaking (like for image requests, XHR/fetch requests, or other resource requests will only send the origin header if the browser ends up making a CORS request. Some other browsers may always send the origin header but you can't really rely on this behaviour, and the WKWebView is one webview that I know will only send the header if it's actually making a CORS request.

Is there any method to get the iFrame to send origin or referrer then?

There is a crossorigin attribute that tells the browser to make a CORS request for that resource, but iframe doesn't appear to be in the list of supported tags, so this leads me to believe that because an iframe acts as a sub-document it doesn't become a CORS request, ever. I do know there are other iframe policies that can be set

If WKWebView doesn't support referrerpolicy directly in the iframe element then I am assuming there is no method to get an iframe to send origin or referrer....true?

Here's something you can try... the iframe tag/object appears to have a referrer property itself, instead of trying to set it via the meta tag. That's supposedly supported on iOS 13+, but it's important to understand that Safari on iOS represents the Safari browser app, and not WKWebView and they are not necessarily the same. See the MDN docs on the referrerpolicy attribute.

Based on your given config I think the equivilant would be:

<iframe src="..." referrerpolicy="origin" />

If that works, you'll probably want to bump your minimum supported iOS to 13, as Cordova defaults to 11.

If it doesn't work, then I think you're out of luck unfortunately. This isn't something that Cordova can control, as it's controlled by the webview itself.

from cordova-ios.

@breautek - thanks for the clarification. The referrerpolicy="origin" does not work, as stated in my OP. The next thing I am going to try to do an XHR load of the document where I can control the CORS and then load that into <iframe srcdoc="(XHR content)" ...>

from cordova-ios.

The referrerpolicy="origin" does not work,

Ah yah, I missed that, my apologies.

The next thing I am going to try to do an XHR load of the document where I can control the CORS and then load that into <iframe srcdoc="(XHR content)" ...>

Not quite sure what kind of kind of limitations that may impose but XHR if it's going to an origin other than the cordova document, then it should trigger a CORS request, so I'd suspect that to work in terms of having the origin header sent.

from cordova-ios.

For anyone who comes across this issue, I found a solution that side loads a document into an iFrame using an XHR (ie: $http.get()) to pass the needed CORS values to my backend server. This CORS request sends the origin (which my server requires) and successfully retrieves the html document:

$http.get(url)
.then(function(response) {
    $scope.urlHTML = $sce.trustAsHtml(response.data) ;
}) '

Then I am able to bind the html document to the iFrame:

<iframe ng-attr-srcdoc="{{urlHTML}}"></iframe>

A full SO is listed here: https://stackoverflow.com/questions/77160980/angularjs-http-document-load-into-an-iframe

from cordova-ios.