Plugin seems to not work on ios 14

[brennino]

Hello, I'm using this amazing plugin for sync cookies between main app and iframes inside the app.
With 2 code lines I make everything work.... since now.

With ios 14 the plugin seems to have no effect any more but still working on ios 13 and ios 12 (tested on ios emulator and the new version of xcode).
Is there any way to make this little gem works on ios 14 too?
I expect that customers can be a little disappointed after they update ios the the new version...
Thanks,
Marco

[Babsvik]

Same thing happens to me here.
We have been using this plugin for a few months, and it solved the problem for us.
Also seemed to have stopped working with Xcode version 12.

I noticed that earlier a cookie with key foo and value bar was set, it seems to me that this cookie is no longer being set after building the app with Xcode 12. To be clear here, our app in production running on iOS 14 works and that was built with the previous version of Xcode - this still works. But all my new builds using Xcode version 12, does not work anymore.

Anything I can do to help @CWBudde ? Would be happy to try to solve it with a PR, just not sure how to approach it.

not sure if this is relevant:

[vorderpneu]

@Babsvik I'm encountering the exact same behaviour. xcode11/iOS14 is fine, xcode12/iOS14 doesn't work.
There is also an open issue at the cordova-plugin-ionic-webview repository, describing a similar problem: ionic-team/cordova-plugin-ionic-webview#616
I'm currently trying to solve the issue with native http calls like the creator of that issue did

[brennino]

an update: I can confirm that our app built with a previous version of Xcode works in production on ios 14 and this plugin is sending cookies correctly.
That's why the customers are not disappointed.....not yet.
I have tried on ios simulator with a different ios version (12) and the plugin works also with the new version of xcode... so remains to discriminate the production vs debug behavior.
We haven't tried clearly to publish on the store an app built with the new xcode just for check if it works in production but if the app will work in production and not in debug will still remain a big problem (for testing purposes and for my trust in life). If there is someone so brave to make this test (without having a steaming mobile phone for angry customers) it can be great.

We continue our testing, if someone have an update please reply, this issue is still frustrating.

Thanks

Marco

[itbeyond]

Hum just run into this one also. Starting research process now, does anyone have any updates that highlight or resolve this as yet?

[Babsvik]

I downgraded now to Xcode 11.7.

Downloaded and installed it from https://developer.apple.com/download/more/ then used:

sudo xcode-select -s /Applications/Xcode-11.app/Contents/Developer/

NB: Note that I renamed the app to Xcode-11, so I can have both 11.7 and 12 installed.

After I set it to the active version, I then verified it with:

xcodebuild -version
---
Xcode 11.7
Build version 11E801a

You can't deploy directly to the device running iOS14 using USB with Xcode 11.7. And Xcode 11.7 does not have simulators running iOS 14 (becomes available in Xcode 12).
But I pushed it to testflight and downloaded it on a device with iOS 14 and that is working. Verified on two different devices.

Again not sure how to proceed to solve this, but it seems like this is introduced with iOS14 built using Xcode 12. So building with Xcode 11.7 works for now. Until Apple deprecates Xcode 11.7 😅

[lovetoast]

Hi all, I think this should help:

We are using ionic wkwebview with cordova and codepush.

Prior to ios 14, this plugin used to work for cookies, it now does not. The file-xhr plugin is required (thanks to whoever suggested that).

In addition to that, codepush builds with the new ios do not play ball on apps originally built using the older (<12) xcode versions.

It would be nice to get this working properly again.

I'm not sure if anyone else has an alternative for cookies in wkwebview? There must be an authorative answer. Pretty much every app will use cookies in cordova.

[itbeyond]

@Babsvik - this may have to be my solution also. @lovetoast thanks I understand the xhr plugin may resolve it for direct app uploads/download but I am also using some code which has internal xhr logic and would prefer not to have to get involved in re-writing this.

The issue seem strange as it appears more like a complier issue rather than an issue with the patching itself as it works for iOS14 in xcode 11. Just wish I knew more about this to even have a guess as to where to start looking. I think this thread will get more and more traction as people start compiling on xcode 12, If anyone finds anything or can point us in the right direction please share?

[lovetoast]

@itbeyond

Apologies, I thought this had already been posted, I believe this is the why:

https://www.simoahava.com/privacy/intelligent-tracking-prevention-ios-14-ipados-14-safari-14/

[mbalug7]

As @lovetoast said, it is most probably ITP issue.

In our app we are using session cookies to authorize src requests from img and video html tags

The approach that works on iOS versions < 14:

1. "cordova-plugin-advanced-http" plugin sends "GET" requests to web server on some domain
2. response header in our ionic-cordova app contains Set-Cookie: "..." property.
3. That cookie is set to native ios cookie storage, but it needs to be synced with wkwebview. It can be done by using this plugin, or in our case custom cookie-synchronize plugin.
4. When cookie is synced, every request that is sent to that domain (from html video, img tag) contains "Cookie" in header.

So it seems that now ITP blocks third party cookies -> cookies which are set from different domain: e.g.

1. cordova is on http://localhost
2. Request is sent to https://mydomain.com from cordova site (http://localhost domain)
3. Response contains "Set-Cookie" property for domain "https://mydomain.com" -> I think that ITP blocks this cookie, since it is third party cookie which is not set in the header of other cordova/ionic/angular requests as it was before introducing ITP.

To confirm this theory, I used suggestion from here: apache/cordova-ios#922 (comment)

<platform name="ios">
    <config-file parent="NSCrossWebsiteTrackingUsageDescription" target="*-Info.plist"> 
        <string>Description</string> 
    </config-file>
    ... other iOS platform things ....
</platform>

I added this code snippet into config.xml file. After app is built and transferred, kill it. Go to iOS setting, find your app at the bottom of the menu, open it and enable Allow Cross-Website Tracking options. Your cookies should work again.

I know that allowing this manually doesn't help a lot, because end-user should not be aware of this problem, but I just want to show where the problem might be.

[ChrisTomAlx]

Has anyone got this working with Xcode 12 and iOS 13 ?

[giorgos120]

Hi guys, I wanted to share with you the solution I found for this issue. It worked well for my case, where the contents I was trying to access was from one single domain... Lets say mydomain.com

In order to make the app work well with Xcode 12 and the latest iOS I had to add the hostname in the config.xml files. So, if you authenticate or load data as iframe from one specific domain only, this solution will work well.

So, you have to add following line inside <platform name="ios"></platform> of the config.xml file.
<preference name="Hostname" value="mydomain.com" />

[mbalug7]

Hi guys, I wanted to share with you the solution I found for this issue. It worked well for my case, where the contents I was trying to access was from one single domain... Lets say mydomain.com

In order to make the app work well with Xcode 12 and the latest iOS I had to add the hostname in the config.xml files. So, if you authenticate or load data as iframe from one specific domain only, this solution will work well.

So, you have to add following line inside <platform name="ios"></platform> of the config.xml file.
<preference name="Hostname" value="mydomain.com" />

That also helped in our case. Allow Cross-Website Tracking is now disabled, but cookie authorization works.
However, as far as I understand, that domain can't be added dynamically, only in build time, but it works for us.
Thank you mr. @giorgos120

[giorgos120]

Hi guys, I wanted to share with you the solution I found for this issue. It worked well for my case, where the contents I was trying to access was from one single domain... Lets say mydomain.com
In order to make the app work well with Xcode 12 and the latest iOS I had to add the hostname in the config.xml files. So, if you authenticate or load data as iframe from one specific domain only, this solution will work well.
So, you have to add following line inside <platform name="ios"></platform> of the config.xml file.
<preference name="Hostname" value="mydomain.com" />

That also helped in our case. Allow Cross-Website Tracking is now disabled, but cookie authorization works.
However, as far as I understand, that domain can't be added dynamically, only in build time, but it works for us.
Thank you mr. @giorgos120

Yes indeed, you can't add it dynamically.
This is a solution that works if you plan to use only one specific domain for your cross-domain activity (lets say your server). If your application needs require to "play around" with more than one domains, then this wont work.
Taking into consideration that building with xcode 11.x will stop at some point by apple... I believe that this is a better way-to-approach.

[brennino]

Hello,
I want to share the same issue on webkit bugzilla tracker:

https://bugs.webkit.org/show_bug.cgi?id=213510

I think that now it's quite clear (also thanks to all your previous replies) that this "thing" is related to ITP Apple "new feature" and it's an Apple choice introduced "by design".
Due to this situation our team stop to expect a possible fix by Apple cause probably will never arrive so we are trying to investigate for a solution/workaround with stuff that we have now after ios 14 release.

From that webkit post we find the app bound domains that maybe can be a solution (or maybe not cause it seems they are related more to whitelist plugin than cookies, we need to investigate more on that):
https://webkit.org/blog/10882/app-bound-domains/

From app bound domains page we find the presentation page of ITP on webkit.org here:
https://webkit.org/tracking-prevention/

The page state that:

ITP by default blocks all third-party cookies. There are no exceptions to this blocking. Third-party cookie access can only be granted through the Storage Access API and the temporary compatibility fix for popups.

so maybe the only solution for this issue is to use the storage access api:
https://webkit.org/blog/8124/introducing-storage-access-api/

But we don't have so much skills in ios programming to understand how to create a complete solution or even if this could bring us to a solution.
Does anyone that have any swift/objective-c background help us to understand if the previous links can be a possible starting point for a plugin or a solution to this cookie hell?

We continue to investigate this problem and hope for possible proposals/updates that can solve this issue for multiple domains (for one single domain defined at compile time @giorgos120 solution works great, thanks)

[itbeyond]

I have just completed a build of one of my main apps on iOS 14 using xcode 12. I ended up using two tools to get past the issue. I did the <preference name="Hostname" value="mydomain.com" /> as suggest by @giorgos120 and this resolved access to my production web server for when I use standard href type calls for images etc. (I have some cookie handling in these). I then used the cordova-plugin-wkwebview-ionic-xhr 2.1.1 which wrapped all my xhr requests into using a native http client. The up shot is it all worked and the xhr plugin handles the cookies and even some complex headers I manually applied perfectly. Hopefully this will help others.

PS: ensure your urls are encoded before passing to the xhr plugin - it gets upset with space chars in the string that may not upset standard xhr browser calls.

[afeurra]

Hi guys, I wanted to share with you the solution I found for this issue. It worked well for my case, where the contents I was trying to access was from one single domain... Lets say mydomain.com
In order to make the app work well with Xcode 12 and the latest iOS I had to add the hostname in the config.xml files. So, if you authenticate or load data as iframe from one specific domain only, this solution will work well.
So, you have to add following line inside <platform name="ios"></platform> of the config.xml file.
<preference name="Hostname" value="mydomain.com" />

That also helped in our case. Allow Cross-Website Tracking is now disabled, but cookie authorization works.
However, as far as I understand, that domain can't be added dynamically, only in build time, but it works for us.
Thank you mr. @giorgos120

This answer saved me. Also, setting the Hostname makes this plugin useless since the app starts handling any same-site cookies natively.

[HardikDG]

Hi guys, I wanted to share with you the solution I found for this issue. It worked well for my case, where the contents I was trying to access was from one single domain... Lets say mydomain.com

In order to make the app work well with Xcode 12 and the latest iOS I had to add the hostname in the config.xml files. So, if you authenticate or load data as iframe from one specific domain only, this solution will work well.

So, you have to add following line inside <platform name="ios"></platform> of the config.xml file.
<preference name="Hostname" value="mydomain.com" />

Any one has any solution similar to this for the capacitor? I am using Ionic with Capacitor and it don't have this type of config.xml file for this

[iljaverba00]

Hello,
I want to share the same issue on webkit bugzilla tracker:

https://bugs.webkit.org/show_bug.cgi?id=213510

I think that now it's quite clear (also thanks to all your previous replies) that this "thing" is related to ITP Apple "new feature" and it's an Apple choice introduced "by design".
Due to this situation our team stop to expect a possible fix by Apple cause probably will never arrive so we are trying to investigate for a solution/workaround with stuff that we have now after ios 14 release.

From that webkit post we find the app bound domains that maybe can be a solution (or maybe not cause it seems they are related more to whitelist plugin than cookies, we need to investigate more on that):
https://webkit.org/blog/10882/app-bound-domains/

From app bound domains page we find the presentation page of ITP on webkit.org here:
https://webkit.org/tracking-prevention/

The page state that:

ITP by default blocks all third-party cookies. There are no exceptions to this blocking. Third-party cookie access can only be granted through the Storage Access API and the temporary compatibility fix for popups.

so maybe the only solution for this issue is to use the storage access api:
https://webkit.org/blog/8124/introducing-storage-access-api/

But we don't have so much skills in ios programming to understand how to create a complete solution or even if this could bring us to a solution.
Does anyone that have any swift/objective-c background help us to understand if the previous links can be a possible starting point for a plugin or a solution to this cookie hell?

We continue to investigate this problem and hope for possible proposals/updates that can solve this issue for multiple domains (for one single domain defined at compile time @giorgos120 solution works great, thanks)

Hi, Is there any solution to this issue?

[newuser44]

Hi guys, I wanted to share with you the solution I found for this issue. It worked well for my case, where the contents I was trying to access was from one single domain... Lets say mydomain.com
In order to make the app work well with Xcode 12 and the latest iOS I had to add the hostname in the config.xml files. So, if you authenticate or load data as iframe from one specific domain only, this solution will work well.
So, you have to add following line inside <platform name="ios"></platform> of the config.xml file.
<preference name="Hostname" value="mydomain.com" />

That also helped in our case. Allow Cross-Website Tracking is now disabled, but cookie authorization works.
However, as far as I understand, that domain can't be added dynamically, only in build time, but it works for us.
Thank you mr. @giorgos120

This answer saved me. Also, setting the Hostname makes this plugin useless since the app starts handling any same-site cookies natively.

Are you saying you did not need any other plugin to get cookies to start working?
cordova-ios installed WKwebView set up and nothing else?

This domain is the web server your are calling correct? not a localhost or ionic://localhost ???

UPDATE:
Tried this with hosname being my companies domain, test.com
Got an error making my next call really cors inside the app because it was saying ionic://test.com is not allowed.
I switched to localhost so things would us ionic://localhost. The api calls go through now but still blocked because of cookies.

[afeurra]

Hi guys, I wanted to share with you the solution I found for this issue. It worked well for my case, where the contents I was trying to access was from one single domain... Lets say mydomain.com
In order to make the app work well with Xcode 12 and the latest iOS I had to add the hostname in the config.xml files. So, if you authenticate or load data as iframe from one specific domain only, this solution will work well.
So, you have to add following line inside <platform name="ios"></platform> of the config.xml file.
<preference name="Hostname" value="mydomain.com" />

That also helped in our case. Allow Cross-Website Tracking is now disabled, but cookie authorization works.
However, as far as I understand, that domain can't be added dynamically, only in build time, but it works for us.
Thank you mr. @giorgos120

This answer saved me. Also, setting the Hostname makes this plugin useless since the app starts handling any same-site cookies natively.

Are you saying you did not need any other plugin to get cookies to start working?
cordova-ios installed WKwebView set up and nothing else?

This domain is the web server your are calling correct? not a localhost or ionic://localhost ???

UPDATE:
Tried this with hosname being my companies domain, test.com
Got an error making my next call really cors inside the app because it was saying ionic://test.com is not allowed.
I switched to localhost so things would us ionic://localhost. The api calls go through now but still blocked because of cookies.

Yes I'm saying I don't need any specific plugin to make cookies work. All I had to do was:

• adding withCredentials: true to my HttpInterceptor (using Angular, this was easy)
• setting the hostname, without protocol nor path, to ios platform in my config.xml (the hostname matches the one of my server)
• of course I had to open CORS on my server, adding the hostname ionic://<theHostname>
  The hardest part was debugging the whole thing because I develop running the app on browser which doesn't support cross-site cookies, so I also had to add http://localhost to CORS settings on my server.

Environment:
Ionic 5.4.2
Angular 8.2.14
Cordova 9.0.0
Cordova-iOS 5.1.1
cordova-plugin-ionic-webview 4.2.1

[allanevargas]

Are these somehow related to why my PHP session variables aren't persisting? I've just upgraded to WKWebView from UIWebView but my PHP session variables are not working now. My HTTP requests are working fine but some data cannot be retrieved since some session variables are blank.

I do have withCredentials: true and I have also added <preference name="hostname" value="localhost" />. Having a value as demo.mywebsite.com doesn't seem to work.

cordova-plugin-android-permissions 1.1.0 "Permissions"
cordova-plugin-androidx-adapter 1.1.1 "cordova-plugin-androidx-adapter"
cordova-plugin-androidx 2.0.0 "cordova-plugin-androidx"
cordova-plugin-camera 4.1.0 "Camera"
cordova-plugin-device 2.0.3 "Device"
cordova-plugin-file-opener2 3.0.5 "File Opener2"
cordova-plugin-file-transfer 1.7.1 "File Transfer"
cordova-plugin-file 6.0.2 "File"
cordova-plugin-firebasex 11.0.1 "Google Firebase Plugin"
cordova-plugin-inappbrowser 4.0.0 "InAppBrowser"
cordova-plugin-ionic-keyboard 2.2.0 "cordova-plugin-ionic-keyboard"
cordova-plugin-ionic-webview 5.0.0 "cordova-plugin-ionic-webview"
cordova-plugin-splashscreen 6.0.0 "Splashscreen"
cordova-plugin-statusbar 2.4.3 "StatusBar"
cordova-plugin-whitelist 1.3.4 "Whitelist"
cordova-plugin-x-toast 2.7.2 "Toast"

[CWBudde]

Just to sum up the discussion: The plugin doesn't seem to be working with XCode 12 and iOS 14 due to ITP (intelligent tracking prevention). There are a few alternatives. The best I have encountered so far ist the wkwebview proxy plugin.

[rafaellop]

If anyone still have troubles with that I've also had this issue and nothing worked except I tried a simple thing which is:

1. Add the following to your config.xml for the ios platform:

<preference name="scheme" value="ionic" />
<preference name="hostname" value="yourdomain.com" />

where yourdomain.com is the domain name where backend script is working. In my case it is a php script working on my domain so it's been just enough to enter the domain in the value.

2. Configure your backend script to allow this origin. In my php script I had to change the origin I had for cordova app to be dynamically changed depending on the request source:

$http_origin = $_SERVER['HTTP_ORIGIN'];
if ($http_origin == "ionic://localhost" || $http_origin == "ionic://mydomain.com") {  
    header("Access-Control-Allow-Origin: $http_origin");
}

And that's it. The session cookies beeing not persistent is fixed.

[huytrv]

Now, does the plugin work on xcode version >12 and ios14?

[Lyfei]

If anyone still have troubles with that I've also had this issue and nothing worked except I tried a simple thing which is:

1. Add the following to your config.xml for the ios platform:

<preference name="scheme" value="ionic" />
<preference name="hostname" value="yourdomain.com" />

where yourdomain.com is the domain name where backend script is working. In my case it is a php script working on my domain so it's been just enough to enter the domain in the value.

2. Configure your backend script to allow this origin. In my php script I had to change the origin I had for cordova app to be dynamically changed depending on the request source:

$http_origin = $_SERVER['HTTP_ORIGIN'];
if ($http_origin == "ionic://localhost" || $http_origin == "ionic://mydomain.com") {  
    header("Access-Control-Allow-Origin: $http_origin");
}

And that's it. The session cookies beeing not persistent is fixed.

The hostname is working, but I need to switch the hostname while the application is running. How do I modify this preference?

[Lyfei]

Now, does the plugin work on xcode version >12 and ios14?

no

[nosTa1337]

If anyone still have troubles with that I've also had this issue and nothing worked except I tried a simple thing which is:

1. Add the following to your config.xml for the ios platform:

<preference name="scheme" value="ionic" />
<preference name="hostname" value="yourdomain.com" />

where yourdomain.com is the domain name where backend script is working. In my case it is a php script working on my domain so it's been just enough to enter the domain in the value.

2. Configure your backend script to allow this origin. In my php script I had to change the origin I had for cordova app to be dynamically changed depending on the request source:

$http_origin = $_SERVER['HTTP_ORIGIN'];
if ($http_origin == "ionic://localhost" || $http_origin == "ionic://mydomain.com") {  
    header("Access-Control-Allow-Origin: $http_origin");
}

And that's it. The session cookies beeing not persistent is fixed.

Using Ionic 5 and this does not work for me. I can switch the hostname and can login into my application, but afterwards all the buttons are dead. This error only occurs on --prod --release build so it will be hard to analyze the issue, therefore I am reversing the changes. But thanks for sharing your solution.

[mkayander]

Having this issue. Xcode 11 & 12 are now deprecated by Apple, so downgrading is not an option. Setting the hostname in config should work, but i have multiple domains in the test build + some iframes that come from a different domain. Static hostname is not helpful in this case unfortunately. Anyone has any ideas?

[mkayander]

It works if i add NSCrossWebsiteTrackingUsageDescription and enable it in the settings. Forcing users to do so is surely not a good option however.