adamdport opened a new issue #1088: URL: https://github.com/apache/cordova-ios/issues/1088
# Feature Request Intelligent Tracking Prevention (ITP) is designed to block cross origin tracking. It seems like [App-Bound Domains are the preferred way to establish communication with a remote server](https://blog.merzlabs.com/posts/webview-history/#app-bound-domains) according to Cordova's own @niklasmerz. I've managed to get my hybrid app working with authentication cookies, even with iframes and InAppBrowser, but only after setting AppBoundDomains in my app's plist and setting `LimitsNavigationToAppBoundDomains`. The feature request is for these settings to be configurable from Cordova's `config.xml`. Additionally, both `scheme` and `hostname` should be configurable via the CLI to aid in build automation to different environments, and the docs should be updated with _at least a brief_ mention of what CORS is and how to configure it on a server. ## Motivation Behind Feature Any app using authentication cookies trying to switch from UIWebView to WKWebView will run into issues where cookies aren't being properly set by the authentication response. There is some confusion coming from [@niklasmerz's webkit issue](https://bugs.webkit.org/show_bug.cgi?id=213510), because Niklas's app cannot configure the domains at buildtime. However, for any app that only needs to communicate with 10 or fewer domains (I'd imagine this is _most_ hybrid apps), App Bound Domains offers a solution: > The App-Bound Domains feature takes steps to preserve user privacy by limiting the domains on which an app can utilize powerful APIs to track users during in-app browsing. **Applications that opt-in to this new feature can specify up to 10 “app-bound” domains** I've managed to get my hybrid app working using AppBoundDomains, but it involves manually tweaking the XCode project generated by cordova after a build, which is not ideal. ## Feature Description If `config.xml` contains any appBoundDomains, add those to the plist generated during the ios build, and set `configuration.limitsNaviationsToAppBoundDomains = YES` in `CDVWebViewEngine.m`. ## Alternatives or Workarounds There are efforts to [bypass CORS restrictions altogether using a webview proxy](https://github.com/GEDYSIntraWare/cordova-plugin-webview-proxy) but this doesn't currently seem to work with iframes or inappbrowser. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
