react-native-wkwebview icon indicating copy to clipboard operation
react-native-wkwebview copied to clipboard
verified publisher icon CRAlpha

sendCookies=true causes cookies to be sent to wrong domain

Open plaa opened this issue 8 years ago • 2 comments

We discovered a bug where in certain cases cookies of one domain are sent to a different domain when sendCookies is true.

The conditions are the following (in parenthesis is our use case example):

  1. We open a WKWebView in primarydomain.com which sets cookies (session cookie)
  2. secondarydomain.com has previously set cookies for itself (e.g. service has been previously opened)
  3. We open another WKWebView in secondarydomain.com (a partner service)
  4. secondarydomain.com sets cookies and performs an HTTP redirect to primarydomain.com/foo (redirects to our OAuth2 endpoint)
  5. At this point the cookies from secondarydomain.com are sent in the request to primarydomain.com/foo and the primarydomain.com cookies are not sent (result is that user is not signed in, since session cookies are not sent)

We tracked the cause to RCTWKWebView.m method loadRequest: https://github.com/CRAlpha/react-native-wkwebview/blob/17b4bba4b4095d6a141111b96ba988df3b1ab92c/ios/RCTWKWebView/RCTWKWebView.m#L89-L101

In step 4 loadRequest is called with the secondarydomain.com URL, and since it has previously set cookies, it creates the NSMutableURLRequest and sets the cookies to the new request. However, when secondarydomain.com performs the HTTP redirect to primarydomain.com, loadRequest is not called again, but the cookies previously set are transferred to the new request to primarydomain.com.

Why loadRequest is not called or why the cookies transfer to the redirected request is unknown to us. Maybe didReceiveServerRedirectForProvisional should be listened to? https://developer.apple.com/documentation/webkit/wknavigationdelegate/1455627-webview?language=objc

We also find the name and documentation of sendCookies to be misleading, as cookies are sent and shared between WKWebView's even with the flag set to false. In our app we found no difference between the settings, except for this bug. (The flag had probably been set to true in our code due to the misleading name/doc.)

plaa avatar Apr 19 '18 09:04 plaa

It's also worth noting that JavaScript sees correctly the cookies of primarydomain.com, it's just the server request which contains cookies from secondarydomain.com.

plaa avatar Apr 19 '18 10:04 plaa

Why loadRequest is not called

This is the standard WkWebView behavior. loadRequest is only used to load first request. Subsequent requests do not go through loadRequest.

insraq avatar May 07 '18 15:05 insraq