[I] iframe does not work with "frame-ancestors *" CSP (iOS WKWebView ) [cordova-ios]

Thu, 22 May 2025 04:49:44 -0700 


vbraun opened a new issue, #1537:
URL: https://github.com/apache/cordova-ios/issues/1537

   # Bug Report
   
   ## Problem
   
   On iOS, an iframe cannot embed a page where the server sets a 
`frame-ancestors *` Content Security Policy. 
   
   This is despite allowing navigation in the config.xml
   ```
       <access origin="*" />
       <allow-navigation href="https://*.menti.com/*"; />
       <platform name="ios">
           <preference name="scheme" value="app"/>
       </platform>
   ``` 
   
   ### What is expected to happen?
   
   The iframe content should load
   
   ### What does actually happen?
   
   On iOS, the iframe fails to load with
   ```
   Refused to load https://www.menti.com/xyz because it does not appear in the 
frame-ancestors directive of the Content Security Policy.
   ```
   On Android, the iframe loads as expected. Possibly because Android allows 
the app to use the `https://` scheme.
   
   
   
   ## Information
   
   It seems that `*` does not match the iOS scheme, which is `app://` in my 
case. Presumably it would match `https://`, but that is not allowed by Apple.
   
   This might not be fixable on the Cordova side, but there was no bug report 
documenting the issue.
   
   This can worked around on the server side by explicitly allowing the scheme, 
if you control the server side. 
   As an example, typeform did this here: 
https://github.com/Typeform/embed/issues/311
   I don't know any other workaround.
   
   
   ### Environment, Platform, Device
   
   cordova-ios version 7.1.1
   
   
   
   
   
   ## Checklist
   <!-- Please check the boxes by putting an x in the [ ] like so: [x] -->
   
   - [ ] I searched for existing GitHub issues
   - [ ] I updated all Cordova tooling to most recent version
   - [ ] I included all the necessary information above
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org

Reply via email to