Uploaded image for project: 'Moodle app'
  1. Moodle app
  2. MOBILE-3713

Cookies not sent to iframes in iOS 14 (preventing embedding external content such as H5P)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.9.4
    • Fix Version/s: 3.9.5
    • Component/s: iOS
    • Testing Instructions:
      Hide

      This issue needs to be tested in a device with iOS 14+ and another device (either iOS 13- or Android).

      Setup

      1. In web as teacher, create a page and put an iframe pointing to the same site. There's one already created in MM Testing > Resource: Page > Page with site internal content embedded (via iframe).

      iOS 14+

      1. Login in that site and open the page.
      2. In the iframe, check that you need to login.
      3. Try to login in the iframe. Check that you're asked to login again, you're in an endless loop.
      4. Check that below the iframe you see the text "Is this content not working?".
      5. Click that link. Check that you see a modal explaining that you need to enable a setting.
      6. Click "Open settings" and enable the Cross-Site setting.
      7. Wait 6 minutes to be able to auto-login again. Otherwise you can just go ahead with the testing but you'll need to authenticate manually in the iframe.
      8. Open the app again (the app is killed after changing the setting).
      9. Go to the page. Check that the iframe now works fine.
      10. Go to More > App settings > General. Check that you see an entry about cross-website tracking.
      11. Check that clicking the button also opens the app native settings.

      iOS 13- or Android

      1. Make sure 6 minutes have passed since the iOS 14 test, or user another user.
      2. Login in that site and open the page.
      3. Check that the iframe works fine.
      4. Check that you do NOT see the "Is this content not working?" text.
      5. Go to More > App settings > General. Check that you do NOT see an entry about cross-website tracking.
      Show
      This issue needs to be tested in a device with iOS 14+ and another device (either iOS 13- or Android). Setup In web as teacher, create a page and put an iframe pointing to the same site. There's one already created in MM Testing > Resource: Page > Page with site internal content embedded (via iframe). iOS 14+ Login in that site and open the page. In the iframe, check that you need to login. Try to login in the iframe. Check that you're asked to login again, you're in an endless loop. Check that below the iframe you see the text "Is this content not working?". Click that link. Check that you see a modal explaining that you need to enable a setting. Click "Open settings" and enable the Cross-Site setting. Wait 6 minutes to be able to auto-login again. Otherwise you can just go ahead with the testing but you'll need to authenticate manually in the iframe. Open the app again (the app is killed after changing the setting). Go to the page. Check that the iframe now works fine. Go to More > App settings > General. Check that you see an entry about cross-website tracking. Check that clicking the button also opens the app native settings. iOS 13- or Android Make sure 6 minutes have passed since the iOS 14 test, or user another user. Login in that site and open the page. Check that the iframe works fine. Check that you do NOT see the "Is this content not working?" text. Go to More > App settings > General. Check that you do NOT see an entry about cross-website tracking.
    • Affected Branches:
      MOODLE_39_STABLE
    • Fixed Branches:
      MOODLE_39_STABLE
    • Pull Master Branch:
    • Sprint:
      Moodle App 3.9.5

      Description

      We had a similar bug in iOS 13, but we fixed it by setting a cookie before loading the iframe. However, it seems the fix isn't working in iOS 14 because cookies aren't sent to iframes after updating the OS.

      This is caused by a new feature of iOS 14 called ITP that blocks cookies for external sites unless the user enables a setting in the app to allow those cookies, so we shouldn't expect a "fix" since for them it's not broken.

      More info:

      https://bugs.webkit.org/show_bug.cgi?id=213510

      https://github.com/CWBudde/cordova-plugin-wkwebview-inject-cookie/issues/11#issuecomment-708606549

       

        Attachments

          Activity

            People

            Assignee:
            dpalou Dani Palou
            Reporter:
            dpalou Dani Palou
            Peer reviewer:
            Pau Ferrer Pau Ferrer
            Integrator:
            Pau Ferrer Pau Ferrer
            Tester:
            Isabel Renedo Rouco Isabel Renedo Rouco
            Participants:
            Component watchers:
            Juan Leyva
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              27/Aug/21