Post

Replies

Boosts

Views

Activity

WKWebView default SameSite value for cookies is different in iOS18
In iOS18, WKWebView's default cookie SameSite value is Lax. Prior to iOS18, the default value is None. Is this intentional, or a bug? This change is not documented anywhere. I made a sample XCode project (ViewController code below) to show this change. It loads www.apple.com into a WKWebView and prints cookies. That site has several cookies, but it only explicitly sets SameSite to None for one cookie, s_vi. Every other cookie relies on default WKWebView behavior. When looking at cookies, either in the console or in Safari's Web Inspector, the SameSite value differs. If older than iOS18, every cookie has SameSite of None. If iOS18, all cookies except s_vi have SameSIte of Lax. I also tried manually setting the following cookies: testCookie-none with SameSite set to None testCookie-lax with SameSite set to Lax testCookie-strict with SameSite set to Strict testCookie- with SameSite set to an empty string When looking at these cookies, testCookie-none and testCookie- have their SameSite of None if older than iOS18, but are both Lax in iOS18. So, it seems we cannot manually set the SameSIte to None either. I realize updating the server to return the SameSite value would resolve this. However, in my app where I'm struggling with this issue, that server is Salesforce. Only they can update their response headers. Since this change isn't documented by Apple, I am assuming it is a bug and not intentional. Are there any workarounds? Any input by Apple on a fix? Below is the ViewController code, and images of the cookies in Safari's Web Inspector. import UIKit import WebKit class ViewController: UIViewController, WKNavigationDelegate { var webView: WKWebView! override func loadView() { // Create WKWebView let config = WKWebViewConfiguration() webView = WKWebView(frame: .zero, configuration: config) // Allow inspection in Safari debugger webView.isInspectable = true // Track the request to load our website webView.navigationDelegate = self // Manually add four cookies: // testCookie-none with SameSite set to None // testCookie-lax with SameSite set to Lax // testCookie-strict with SameSite set to Strict // testCookie- with SameSite set to an empty string addTestCookies() view = webView } override func viewDidLoad() { super.viewDidLoad() // Load a website let urlString = "https://www.apple.com" self.webView.load(URLRequest(url: URL(string:urlString)!)) } // Once the website loads, print the cookies. func webView(_ webView: WKWebView, didFinish navigation: WKNavigation!) { WKWebsiteDataStore.default().httpCookieStore.getAllCookies { cookies in for cookie in cookies { print(cookie) } } } /* Manually add the following cookies for domain .apple.com testCookie-none with SameSite set to None testCookie-lax with SameSite set to Lax testCookie-strict with SameSite set to Strict testCookie- with SameSite set to an empty string In older iOS versions, both testCookie-none and testCookie- will have their SameSite as none. In iOS18, no cookie will have SameSite as None. */ func addTestCookies() { let httpCookieStore = WKWebsiteDataStore.default().httpCookieStore for sameSitePolicy in ["none", "lax", "strict", ""] { httpCookieStore.setCookie(HTTPCookie(properties: [ HTTPCookiePropertyKey.path: "/", HTTPCookiePropertyKey.name: "testCookie-"+sameSitePolicy, HTTPCookiePropertyKey.value: "1", HTTPCookiePropertyKey.domain: ".apple.com", HTTPCookiePropertyKey.secure: true, HTTPCookiePropertyKey.sameSitePolicy: sameSitePolicy ])!) } } }
1
1
626
Oct ’24