I'm developing an ios app with phonegap and Jquery. I'm facing an issue where sending ajax request failed due to the xmlhttprequest-cannot-load No 'Access-Control-Allow-Origin' header is present on the requested resource error. I have white-listed all domain with < access origin="*" / > in config.xml.
However adding Access-Control-Allow-Origin:* on server could resolve the issue. But I don't want to use this approach because this exposes another security issue. Does Phonegap app requires this? I'm confused because someone says yes and someones says no, and official documentation doesn't mention this either.
I just got the answer. phoneGap does not need this. What I'm experiencing is a known bug in the latest phoneGap (https://github.com/phonegap/phonegap-app-developer/issues/169) which should be resolved soon.
Not on the server no.
You can whitelist the origin though: http://docs.phonegap.com/en/3.0.0/guide_appdev_whitelist_index.md.html
Related
I've got an odd issue where a certain domain fails to load in a WKWebView. It gives an error:
WebPageProxy::didFailProvisionalLoadForFrame: frameID=3, domain=NSURLErrorDomain, code=-1200
Which I believe is complaining about a certificate issue? It works fine if I allow insecure content via info.plist, but of course I don't want to allow that.
The cert is fine for that domain. I'm unable to share the url unfortunately. It's a .gov domain. The cert is DigiCert and not-expired.
It works fine in Safari outside of the app, and even in Firefox and Chrome, which I thought used WKWebView but maybe not?
Has anyone ever experienced this issue? What additional steps can I do to pin down what exactly WKWebView is complaining about and what can be done to fix it?
We're actually using Xamarin, but we have test projects in both Xamarin and Xcode that replicate the issue.
Thanks!
I found the problem!
WKWebView (unlike Safari) requires that SSL certs support forward secrecy.
https://developer.apple.com/documentation/bundleresources/information_property_list/nsexceptionrequiresforwardsecrecy
You can check if a cert supports this here:
https://www.ssllabs.com/ssltest/analyze.html
It's possible to disable it in info.plist but we've opted to ask the site owner to change their certs.
I use the cordova plugin "ionic-plugin-deeplinks" (to my knowledge also works with a plain cordova app).
On Android, links when clicked let users choice between chrome and my application.
=> I suppose that app links works
=> As I'm able to access window.IonicDeeplink and redirect the user to the right page
I'm not able to have the same behavior on iOS, when I click a link I always get the app open in Safari.
How can I find clue on issues ?
More context:
apple-app-site-association is got with a HTTP 200 (over https only), it's located in /.well-known/apple-app-site-association:
I checked TeamID and BundleID 5 times (at least);
with the branch.io validator i get all validations green:
Your domain is valid (valid DNS).
Your file is served over HTTPS.
Your server does not return error status codes greater than 400.
Your file's 'content-type' header was found :)
Your JSON is validated.
with the apple validator, I got : "Action required
Could not extract required information for Universal Links. Learn how to implement the recommended Universal Links.
Error no apps with domain entitlements
The entitlement data used to verify deep link dual authentication is from the current released version of your app. This data may take 48 hours to update." (but some devs said that working app add the same error) what to do with that result?
when monitoring server's log while installing the app with Xcode I see a request get a HTTP 200 on apple-app-site-association
while installing the app with Xcode I got no logs referring to swcd in Xcode (I read here that I should if I had error while installing the app). Is a successful installation silent?
I followed that guide to setup entitlements, but some things feel odd with it:
Unlike the snapshot in the guide, I didn't found any *.entitlements file in my project. Should I have one with cordova? (my xCode seems to remember my setting though). Is it possible to check that installed app get entitlements?
I did set my domain in Xcode like this: applinks:mydomain.com and the switch is ON. But I never uploaded any thing from my local dev environment to apple services. Should I have? If yes, how ?
My current interrogations are highlighted but any explanations on any lack of understanding will be more than welcome!!!
Until then I started a verification for testFlight looking for more info.
while installing the app with Xcode I got no logs referring to swcd in xCode
I implemented Universal Links manually, but situation was similar. Particularly I mentioned empty swcd process log while installing the app, and it turned out that most likely iOS didn't even try to download apple-app-site-association file, like if responsible process wasn't run. In my case device restart helped and deep-linking began to work.
Thus I think restarting device is one another step in troubleshooting when you are sure about all your setup.
For anyone trying to debug this in development:
In XCode, ensure you're editing the Debug version of Signing & Capabilities.
To bypass the Apple Universal Links CDN, configure your Debug domains like applinks:?mode=developer -- adding that query string in development is important.
On your iOS Device, go to Settings->Developer->Universal Links and ensure the Associated Domains Development toggle is switched on.
On your iOS Device in Settings->Developer->Universal Links->Diagnostics, enter your Universal Links URL and ensure you get a green checkmark.
After following all of these steps, Universal Links work locally.
I have developed a phonegap app with xmhttprequest to get some text from the web. It works fine in android, but it is not working in iOS.
Here are the problems:
In index.html, I include external resource of jquery mobile. It's not working.
xmlhttprequest response is null, but status=200. Neither success nor error function be called.
I have :
cordova 3.9.1
access origin=""
allow-navigation href=""
What should I do?
#Agnes,this is a mixed answer. On Cordove/Phonegap versions before 4.0.0, whitelist is NOT required, neither is the new requirement of CSP(Content Security Policy). However as of iOS9, Apple has a new ATS (App Transport Security) that is being enforced.
I don't have a good answer for you because the current Cordova whitelist documentation is mess. My raw notes show the confusion. I'm still sorting it out for blog post.
The best that I can do is turn you towards the clean FAQ
Top Mistakes by Developers new to Cordova/Phonegap
Read 10. Not adding the new "white-list", "white-list plugin" parameters in config.xml AND "Content Security Policy"
The Apple stuff is at the bottom of that section.
Please let me know what you figure out.
TIA
I have a Cordova Angularjs app that is getting some JSON from my server. It works on iOS 8, but when I "upgraded" to iOS 9 I am now getting nothing from my server. The server has not been changed, and I can see the JSON response if I navigate to my url.
I narowed it down a little to my $http.jsonp() method. It is giving me a 404 error when trying to retrieve the JSON. The same exact code works fine and gets the JSON on an iOS 8 device.
Anyone else having an issue with this and iOS 9 and have figured any more out? It definitely seems like an Apple related issue...
Add this to your info.plist file.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
From this page
App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.
If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file.
This has been turned on by default in iOS9. They suggest developing using https whenever possible. To get around that you would need the previous code in this answer.
Newbie to phonegap and mobile programming. I'm getting the whitelist error when trying to connect to a localhost url http:// localhost/.
I've added access origin="*" to /appName/www/config.xml and /appName/platforms/ios/www/config.xml
I'm using phonegap 3.4 and the iphone simulator in xCode 5.1. From everything I've been reading, it should be working but isn't. I'm wondering if there is a setting in xCode that's causing the problem? If I open my local site in a browser, it works.
Thanks!
Please see my below instruction try with anyone and let me know
The following examples demonstrate whitelist syntax:
Access to google.com:
Access to the secure google.com
(https://):
Access to the subdomain
maps.google.com:
Access to all the
subdomains on google.com, for example mail.google.com and
docs.google.com:
Access to all domains, for
example, google.com and developer.mozilla.org: