Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookies are blocked in iframe even after disabling ITP #1228

Open
3 tasks done
abhinavms opened this issue Mar 28, 2022 · 11 comments
Open
3 tasks done

Cookies are blocked in iframe even after disabling ITP #1228

abhinavms opened this issue Mar 28, 2022 · 11 comments

Comments

@abhinavms
Copy link

Bug Report

Problem

Even after allowing cross-site tracking in the app setting to disable ITP, the 3rd party cookies are still not being set in iframe. The Storage Access API denies the request to access storage. This causes login to fail in the iframe.

What is expected to happen?

Cookies should be stored and sent in every request

What does actually happen?

Cookies are not being stored

Information

I have created a sample application to illustrate the problem. Link - https://github.com/abhinavms/cordova-3rdparty-cookie

The webview loads URL abhinavms.github.io/cookieTest. It has an iframe that loads cookie-set-test.herokuapp (Source code). cookie-set-test.herokuapp sends a request to set a cookie and verify if the cookie was set. It also displays if the Storage Access API has granted access.

With the latest Xcode version, it is observed that the cookie is never being set in the iframe unless already a first-party cookie was available. This issue was also reproducible in iOS 12.4, which doesn't have ITP

Observations

  1. The iframe does not have the Storage Access API, therefore cookies are not being stored
  2. document.requestStorageAccess() is denying the request to access storage to save cookies
  3. If the 3rd party domain already has a 1st party cookie, then storage access is given and it can load in the iframe

Environment, Platform, Device

Xcode 13.3
iOS 15.3, 12.4

Checklist

  • I searched for existing GitHub issues
  • I updated all Cordova tooling to most recent version
  • I included all the necessary information above
@abhinavms
Copy link
Author

In mobile and desktop Safari, disabling the "Prevent Cross-Site Tracking" option causes the site to work as expected. In chrome also no issue seems to be there. The only issue is on the mobile app with NSCrossWebsiteTrackingUsageDescription option.

@breautek
Copy link
Contributor

Iframes don't have access to the storage api by default, which is required to handle ITP.

Iframes that is a direct child of the top level frame have an attribute to enable the storage access api. Direct child iframes can have

sandbox="allow-storage-access-by-user-activation" to enable storage access.

From what I read, iframes in which is nested do not have storage access, even with the sandbox attribute.

Note that if either the top frame or the iframe document navigates, storage access is revoked. Any storage grants only persists for the lifetime of the document.

Disclaimer: don't have the means to confirm or test any of this. Just summarizing webkits blog

Also there are some cookie bugs that is unrelated to ITP in WKWebView, which was reported to Apple via https://bugs.webkit.org/show_bug.cgi?id=213510 which I think effects ios <= 13. Your reproduction on ios 12.4, while show similar symptoms is likely related to cookie syncing issues on wkwebview. I believe these are fixed in later ios versions (but I don't work cookies so not sure on the exact details here on this.)

@abhinavms
Copy link
Author

abhinavms commented Mar 29, 2022
edited
Loading

breautek
If my understanding is correct when I enable "Allow cross-site tracking" in the settings, then shouldn't ITP be disabled and the access is given?

I've added sandbox="allow-storage-access-by-user-activation allow-scripts allow-same-origin"
However, access was still not granted.

The iframe on the sample app I provided is a direct child of the webpage.

Yeah, I think you are right. It could be unrelated to ITP and be related to other cookie bugs on the link you provided. After doing some more tests I will reply back. Thank you!

@mkayander
Copy link

Hello. Any success with this issue? I'm also having problems with iframe cookies not being saved & used.

@abhinavms
Copy link
Author

@mkayander For me by default, the Cookie policy is set to NSHTTPCookieAcceptPolicyOnlyFromMainDocumentDomain which is preventing the cookies to be set even when cross-site tracking is enabled. Changing it to NSHTTPCookieAcceptPolicyAlways fixed the issue.

In CDVWebViewEngine.m, can you try adding the below line and see if that helps
NSHTTPCookieStorage.sharedHTTPCookieStorage.cookieAcceptPolicy = NSHTTPCookieAcceptPolicyAlways;

@mkayander
Copy link

@abhinavms Thanks for the info! I've tried adding that line, but with no success yet. Is there a specific place in the file that this line should be at? I've currently added it inside the "initWithFrame".

@abhinavms
Copy link
Author

In my codebase, it was added under "pluginInitialize". But I think it should have worked under initWithFrame also. Maybe you can debug and check the "cookieAcceptPolicy" value in your case. If it is already NSHTTPCookieAcceptPolicyAlways, then you might be facing a different issue.

Also just to confirm you have already added "NSCrossWebsiteTrackingUsageDescription" and enabled tracking in the app settings?

@mkayander
Copy link

Yeah, i've logged the cookieAcceptPolicy value and it's already 0 before the assignment, which is NSHTTPCookieAcceptPolicyAlways.
NSCrossWebsiteTrackingUsageDescription is set and enabled in settings yes.

Yet, i see in dev tools that iframe's response contains multiple Set-Cookie, SameSite is set to none. But when i check saved cookies for iframe's domain, there's none, which results in errors.

I'm also using a cordova-plugin-wkwebview-file-xhr plugin that affects XHR requests but it doesn't seem to be relevant to the problem.

@mkayander
Copy link

As it turned out, those iframe cookies are only being saved if there's already a cookie present for this specific domain. I've used a cordova-plugin-wkwebview-inject-cookie plugin to add a dummy cookie for the required domain on the app startup, and it started working.

So it seems like a working solution for the test environment, but not a good option for the prod, since it's not great to force users to enable tracking in settings.

It looks like the only option for the production env is to make a separate build for each domain and enforce/proxy all iframes to it.

@zgheibe
Copy link

zgheibe commented Aug 30, 2024

@mkayander is it still working now for you with ios 18 beta ?
it used to work for me with cordova-plugin-wkwebview-inject-cookie , but now with IOS beta 18 it is not.

i have a hybrid app which makes calls to a webserver and loads the pages returned as a response inside the iframe of my app. Cookies are maintained outside the iframe in my app , but inside the iframe, they do not exist anymore; calls from inside the iframe to the server (same-origin) are failing since no cookies in the request => no session ID.
This worked fine in previous IOS versions (last one tested was 17.5.1). I think i am being able to set the cookie name and value, but i think the problem is not being able to set the attribute "SameSite=None; Secure". It is being taken into consideration as a part of the cookie value. Anybody knows if there is a plugin where i can control and set cookie attributes into my iframe?

@mkayander
Copy link

@mkayander is it still working now for you with ios 18 beta ? it used to work for me with cordova-plugin-wkwebview-inject-cookie , but now with IOS beta 18 it is not.

We ended up on assigning a relevant domain for the environment. So basically stopped trying to hack this thing anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@breautek @mkayander @abhinavms @zgheibe