breautek commented on issue #1373: URL: https://github.com/apache/cordova-ios/issues/1373#issuecomment-1731341364
> Could you clarify please? Are you saying the WKWebView does send the header if the browser is making a CORS request...so I am interpreting this to mean that an iFrame is not making a CORS request? You're understanding is correct, but honestly `iframe` sometimes have behaviour than other kinds of request, so with iframes specifically I don't know how that is handled. But generally speaking (like for image requests, XHR/fetch requests, or other resource requests will only send the `origin` header if the browser ends up making a CORS request. Some other browsers may always send the `origin` header but you can't really rely on this behaviour, and the WKWebView is one webview that I know will only send the header if it's actually making a CORS request. > Is there any method to get the iFrame to send origin or referrer then? There is a [crossorigin](https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin) attribute that tells the browser to make a CORS request for that resource, but `iframe` doesn't appear to be in the list of supported tags, so this leads me to believe that because an iframe acts as a sub-document it doesn't become a CORS request, ever. I do know there are other iframe policies that can be set > If WKWebView doesn't support referrerpolicy directly in the iframe element then I am assuming there is no method to get an iframe to send origin or referrer....true? Here's something you can try... the iframe tag/object appears to have a referrer property itself, instead of trying to set it via the meta tag. That's [supposedly](https://caniuse.com/mdn-html_elements_iframe_referrerpolicy) supported on iOS 13+, but it's important to understand that `Safari on iOS` represents the Safari browser app, and not `WKWebView` and they are not necessarily the same. See the [MDN](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#referrerpolicy) docs on the `referrerpolicy` attribute. Based on your given config I think the equivilant would be: ``` <iframe src="..." referrerpolicy="origin" /> ``` If that works, you'll probably want to bump your minimum supported iOS to 13, as Cordova defaults to 11. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
