Skip to content

gap://ready documentation missing + mixed content policy is blocking loading local files into https page loaded into the webview while not blocking the "insecure" gap://ready #561

New issue
New issue
Closed
Closed
gap://ready documentation missing + mixed content policy is blocking loading local files into https page loaded into the webview while not blocking the "insecure" gap://ready#561
@guylando

Description

@guylando
guylando
opened on Mar 2, 2019

Steps to reproduce:

  1. Navigate the webview to https://anysite.com using:
    window.location.replace('https://anysite.com'); after device ready event.
  2. In the remote site try to load local js file using file://... or using file plugin cdvfile://....

Will get the error:
"[blocked] ...was not allowed to run insecure content.."

On android there is a way to configure the webview to prevent mixed content policy errors, any solution for ios?

This is mixed content policy error and not App transport security or csp error so modifying them does not help.

What I can't find documentation about and dont understand is how the gap://ready iframe used by cordova-ios does not get blocked by the mixed content policy?! I understood that this iframe is used for the communication with the native side, where can I read the documentation about it? did you register gap as a custom scheme and are handling the url? How did it bypass the mixed content policy? because if I copy cordova.js and other scripts to remote site and load them then cordova works and the gap://ready iframe works without mixed content policy errors.

UPDATE: After reading this:
https://github.com/apache/cordova-ios/blob/master/CordovaLib/Classes/Private/Plugins/CDVUIWebViewEngine/CDVUIWebViewNavigationDelegate.m
https://developer.apple.com/documentation/uikit/uiwebviewdelegate/1617945-webview?language=objc

I am assuming that:

  1. Since the request for gap://ready is from the current app and not another app, there is no need to register a custom scheme. Instead shouldStartLoadWithRequest function will get called for this request and will allow to apply logic.
  2. The reason that mixed content policy is not triggered is because cordova blocks the gap://ready request and does not respond to it, not letting content the opportunity to be attempted to be loaded. Do you agree?
  3. If this is the case it will not allow to solve the mixed content problem of loading js/css files inside the webview https remote page.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions