5

I've recently replaced my UIWebview to a WKWebview in my hybrid app. I'm using a custom scheme to load images from the native part of the app as it's recommended by Apple here: https://developer.apple.com/videos/play/wwdc2017/220/

I'm loading the images from a url that look like mycustomscheme://?path=somepath

I've added Content-Security-Policy header to allow for the mixed content, and it looks like this (irrelevant parts were removed):

Content-Security-Policy: default-src 'self' www.myurl.com ; img-src 'self' mycustomscheme: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; report-uri https://www.myreporturl.com/

This works for most devices and lets the request to mycustomscheme go through, and report to myreporturl if anything was blocked. However, on some devices the custom requests are blocked with this error: [Warning] [blocked] The page at https://www.myurl.com was not allowed to display insecure content from mycustomscheme://?path=somepath and no report is being sent to myreporturl, as if the header was not loaded at all.

I've confirms that the header is actually sent, and that the problematic devices are running the latest iOS (12.1.4).

Any advice on how to prevent my custom requests from getting blocked would be much appreciated!

Tako
  • 3,364
  • 2
  • 14
  • 21

4 Answers4

2

Try the following for loading image policy:

img-src 'self' 'unsafe-inline' 'unsafe-eval' data: http: https: mycustomscheme: filesystem: file:;
Bradia
  • 827
  • 5
  • 8
  • Holy crap, that seems to have solved it. I can't say I understand why, but I'll take it! Thank you! – Tako Mar 01 '19 at 19:03
  • Your welcome! I am glad it helped. This link explains the options for img-src in more detail. Good Luck! https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src – Bradia Mar 04 '19 at 03:43
  • I am having the same problem but with loading a local stylesheet referenced via a `link` element in the `head`. Does it work any differently for `style-src`? – Tom Hamming Mar 19 '20 at 18:23
0

Cause: Since iOS 9, iOS will only allow your application to communicate with servers that implement best-practice security by default. Values must be set in Info.plist to enable communication with insecure servers.

Solution: Add the following code in your info.plist to trust your domain.

<key>NSAppTransportSecurity</key>
 <dict>
 <key>NSExceptionDomains</key>
 <dict>
  <key>www.myurl.com</key>
  <dict>       
   <key>NSExceptionRequiresForwardSecrecy</key>
   <false/>
   <key>NSExceptionAllowsInsecureHTTPLoads</key>
   <true/>
   <key>NSIncludesSubdomains</key>
   <true/>
 </dict>
</dict>
Lucas Zhang
  • 18,630
  • 3
  • 12
  • 22
  • Tried, but I'm still getting blocked. Also, my problem is in the communication between JS to the native part of the app, so I wouldn't expect it to be blocked by NSAppTransportSecurity. – Tako Feb 20 '19 at 05:04
0

Its https and http issue Make sure all your content are https:. Using Multiple website resources inside one another mixes it. Try not to do CORS.

Jin Thakur
  • 2,711
  • 18
  • 15
  • I guess I didn't explain myself well enough in the original post. I'm trying to load the image from the app itself (the native part of the app) in to the JS running in the WKWebview as suggested by Apple in the link above. Wouldn't make sense doing it with https. – Tako Mar 01 '19 at 17:50
-1

Try this:

Add following line in your info.plist file:

<key>LSApplicationQueriesSchemes</key>
<array>
    <string>mycustomscheme</string>
</array>

Make sure to change mycustomscheme to your own scheme.

Mehul Thakkar
  • 12,440
  • 10
  • 52
  • 81
  • 1
    Thanks, but still getting blocked. LSApplicationQueriesSchemes is for urls you want to open. I'm not trying to open a url, I'm trying to pass an image from the native code. – Tako Feb 26 '19 at 21:28