name | about | title | labels | assignees |
---|---|---|---|---|
Use case & issue template |
Describe this issue template's purpose here. |
Third party cookies and cross origin ressource sharing in webviews
Niklas Merz
I worked many years on an hybrid mobile application which uses a webview to show local web content but needs cookie authentication to communicate with a backend server. There are many apps like this built with frameworks like Apache Cordova or Capacitor for the mobile platforms. App developers commonly face challenges implementing CORS or third party cookies.
Local content usually gets served from the file:
protocol but this origin has gotten more restrictive in the last few years. More standardized APIs could make app developers lifes easier.
This is strongly related to the question What is an origin?.
Browser vendors & webview providers: Apple, Google
End user: Easier implementation of common usescases and less workarounds
APIs provided by Android and iOS allow app or framework developers some customization of the origin of local web content. The capabilities on both platforms differ a lot and force developers to find compromises and workarounds. For example iOS allows you to use a custom scheme but Android does only allow using http or https but iOS prohibits that.
Privacy related cookie blocking features can lead to blocked authentication cookies. For example iOS' webview WKWebView started blocking third party cookies. For apps using a local origin and XHR or fetch requests to backend servers this can be very problematic.
Browsers increasingly block third party cookies to protect the users privacy. Webviews are sometimes used differently because they can serve web content from within the application. In this case they could get more freedom to communicate with other sites (CORS).