cordova-ios icon indicating copy to clipboard operation
cordova-ios copied to clipboard
verified publisher icon apache

cordova ios not injecting referrerpolicy into iframe url calls

Open rolinger opened this issue 2 years ago • 6 comments

I don't know if this is a bug or if I am doing it wrong but my app loads an iframe and the call to the url is not adding the origin or referrer attributes to the header.

In my iFrame I have added:

<iframe referrerpolicy="origin" id="logframe" ng-src="{{logItem.url}}" style="width:100%;height:100%;"> </iframe>

That didn't work, and then I added the following to my main index.html page:

    <meta name="referrer" content="origin">
    <meta http-equiv="Referrer-Policy" content="origin">

And that did not work either. Am I doing something wrong, is this a bug or is it simply just not possible? According to the web specs on WkWebView it indicates the attribute should be allowed.

rolinger avatar Sep 21 '23 21:09 rolinger

origin request header is part of the CORS protocol. The CORS spec leaves it up to the user agent to add it to request headers or not, the only requirement is that the header must be sent if the user agent is making a "CORS" request, and the WKWebView does just that.

As for the Referrer-Policy, there's a open feature request for wkwebview to support it, so I'm guessing that's not something WKWebView actually supports?

breautek avatar Sep 21 '23 21:09 breautek

@breautek I am a bit confused by your response. Could you clarify please? Are you saying the WKWebView does send the header if the browser is making a CORS request...so I am interpreting this to mean that an iFrame is not making a CORS request? Is there any method to get the iFrame to send origin or referrer then? If WKWebView doesn't support referrerpolicy directly in the iframe element then I am assuming there is no method to get an iframe to send origin or referrer....true?

rolinger avatar Sep 21 '23 23:09 rolinger

Could you clarify please? Are you saying the WKWebView does send the header if the browser is making a CORS request...so I am interpreting this to mean that an iFrame is not making a CORS request?

You're understanding is correct, but honestly iframe sometimes have behaviour than other kinds of request, so with iframes specifically I don't know how that is handled. But generally speaking (like for image requests, XHR/fetch requests, or other resource requests will only send the origin header if the browser ends up making a CORS request. Some other browsers may always send the origin header but you can't really rely on this behaviour, and the WKWebView is one webview that I know will only send the header if it's actually making a CORS request.

Is there any method to get the iFrame to send origin or referrer then?

There is a crossorigin attribute that tells the browser to make a CORS request for that resource, but iframe doesn't appear to be in the list of supported tags, so this leads me to believe that because an iframe acts as a sub-document it doesn't become a CORS request, ever. I do know there are other iframe policies that can be set

If WKWebView doesn't support referrerpolicy directly in the iframe element then I am assuming there is no method to get an iframe to send origin or referrer....true?

Here's something you can try... the iframe tag/object appears to have a referrer property itself, instead of trying to set it via the meta tag. That's supposedly supported on iOS 13+, but it's important to understand that Safari on iOS represents the Safari browser app, and not WKWebView and they are not necessarily the same. See the MDN docs on the referrerpolicy attribute.

Based on your given config I think the equivilant would be:

<iframe src="..." referrerpolicy="origin" />

If that works, you'll probably want to bump your minimum supported iOS to 13, as Cordova defaults to 11.

If it doesn't work, then I think you're out of luck unfortunately. This isn't something that Cordova can control, as it's controlled by the webview itself.

breautek avatar Sep 22 '23 12:09 breautek

@breautek - thanks for the clarification. The referrerpolicy="origin" does not work, as stated in my OP. The next thing I am going to try to do an XHR load of the document where I can control the CORS and then load that into <iframe srcdoc="(XHR content)" ...>

rolinger avatar Sep 22 '23 12:09 rolinger

The referrerpolicy="origin" does not work,

Ah yah, I missed that, my apologies.

The next thing I am going to try to do an XHR load of the document where I can control the CORS and then load that into <iframe srcdoc="(XHR content)" ...>

Not quite sure what kind of kind of limitations that may impose but XHR if it's going to an origin other than the cordova document, then it should trigger a CORS request, so I'd suspect that to work in terms of having the origin header sent.

breautek avatar Sep 22 '23 12:09 breautek

For anyone who comes across this issue, I found a solution that side loads a document into an iFrame using an XHR (ie: $http.get()) to pass the needed CORS values to my backend server. This CORS request sends the origin (which my server requires) and successfully retrieves the html document:

$http.get(url)
.then(function(response) {
    $scope.urlHTML = $sce.trustAsHtml(response.data) ;
}) '

Then I am able to bind the html document to the iFrame:

<iframe ng-attr-srcdoc="{{urlHTML}}"></iframe>

A full SO is listed here: https://stackoverflow.com/questions/77160980/angularjs-http-document-load-into-an-iframe

rolinger avatar Sep 23 '23 17:09 rolinger

Closing out this issue as there is nothing actionable. Appears to be a missing web feature. Also the original OP provided a solution.

erisu avatar Mar 08 '24 13:03 erisu