Reputation: 3444
WKWebview [Warning] [blocked] The page at https://www.myurl.com was not allowed to display insecure content from mycustomscheme://?path=somepath
I've recently replaced my UIWebview to a WKWebview in my hybrid app. I'm using a custom scheme to load images from the native part of the app as it's recommended by Apple here:
https://developer.apple.com/videos/play/wwdc2017/220/
I'm loading the images from a url that look like mycustomscheme://?path=somepath
I've added Content-Security-Policy header to allow for the mixed content, and it looks like this (irrelevant parts were removed):
Content-Security-Policy: default-src 'self' www.myurl.com ; img-src 'self' mycustomscheme: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; report-uri https://www.myreporturl.com/
This works for most devices and lets the request to mycustomscheme go through, and report to myreporturl if anything was blocked. However, on some devices the custom requests are blocked with this error:
[Warning] [blocked] The page at https://www.myurl.com was not allowed to display insecure content from mycustomscheme://?path=somepath and no report is being sent to myreporturl, as if the header was not loaded at all.
I've confirms that the header is actually sent, and that the problematic devices are running the latest iOS (12.1.4).
Any advice on how to prevent my custom requests from getting blocked would be much appreciated!
Upvotes: 6
Views: 4080
Answers (4)
Reputation: 2773
Its https and http issue Make sure all your content are https:. Using Multiple website resources inside one another mixes it. Try not to do CORS.
Upvotes: 0
Reputation: 857
Try the following for loading image policy:
img-src 'self' 'unsafe-inline' 'unsafe-eval' data: http: https: mycustomscheme: filesystem: file:;
Upvotes: 2
Reputation: 12594
Try this:
Add following line in your info.plist file:
<key>LSApplicationQueriesSchemes</key>
<array>
<string>mycustomscheme</string>
</array>
Make sure to change mycustomscheme to your own scheme.
Upvotes: -1
Reputation: 18861
Cause: Since iOS 9, iOS will only allow your application to communicate with servers that implement best-practice security by default. Values must be set in Info.plist to enable communication with insecure servers.
Solution: Add the following code in your info.plist to trust your domain.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>www.myurl.com</key>
<dict>
<key>NSExceptionRequiresForwardSecrecy</key>
<false/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSIncludesSubdomains</key>
<true/>
</dict>
</dict>
Upvotes: 0
Related Questions
- WKWebView custom URL scheme doesn't work with https? (mixed content blocked)
- WKWebView https certificate invalid
- WKWebView does not load https URL?
- iOS WKWebView doesn't load http web content
- iOS: SSL error - page not loading in WKWebView but loads in Safari
- Unable to load webpage in WKWebView
- uiwebview load request not working ios
- SecurityError (DOM Exception 18): The operation is insecure WKWebkit iOS 10
- WKWebView - Failed to load resource: Origin null is not allowed by Access-Control-Allow-Origin
- WKWebView - iframe content is not loading in simulator/device