Allow cross-origin cookies in Android WebView #488
Conversation
|
Sounds reasonable, though I'm not yet sure whether it's safe to impose as default on everyone. On that note, it doesn't feel right to me that the way to tweak any setting in the .java requires forking reflex-dom or android-activity, but I don't know these parts enough to have an opinion on alternatives. I'll be able to take a better look in a couple weeks. |
|
Fair point, I can see how allowing for general use of third party cookies can be unsafe however it's interesting that you mention this constraint of needing to tweak MainWidget.java because the first idea I had in mind was for shouldInterceptRequest to check if it's to a the route specified in I do still think there are niche cases where an app would want a true third party request but perhaps there is an ideal solution to control this through a list of allowed hosts / urls |
|
obsidiansystems/obelisk#348 (comment) I came across this just now and I wanted to put this link as a placeholder to investigate why they were allegedly able to make a request to the backend no problem. Perhaps something has changed like with using the android app assets url |
3 participants
Summary Line: allow third party cookies through .setAcceptThirdPartyCookies
Motivation:
CORS is required for an app entirely run inside of a webview for a connection to the server unless we use websockets. There are many cases such as large files and streaming where it would be undesirable to do through websockets.
It is also impossible to return the cookie in a request then set it through JS if the Cookie appears to be for a different domain. Currently any android app will have the appassets route as it's origin, since this is where index.html is loaded from, therefore any obelisk backend will be viewed as a different server. Even if that was not the case, there might still be cases where we would like to have an authenticated connection with a true third party