我想在我的应用程序中打开一个网站。以下是该站点的PoC代码。如果我直接在同一标签中打开上述锚标签链接。然后,cookie将不会进入请求。如果在新标签页中打开,则Cookie将进入请求。 如果单击提交按钮。您将看到对https://humblehunter.io/temp/samesite.php的GET / POST请求包含应该由samesite属性保护的cookie。
我在下面的代码中将当前Webview的配置传递给了新打开的Webview,但似乎该配置在新标签中无效。
func webView(_ webView: WKWebView, createWebViewWith configuration: WKWebViewConfiguration,
for navigationAction: WKNavigationAction, windowFeatures: WKWindowFeatures) -> WKWebView? {
if navigationAction.targetFrame == nil {
// WKWebView requires WKUIDelegate to return a child view created with
// exactly the same |configuration| object (exception is raised if config is
// different). |configuration| param and config returned by
// WKWebViewConfigurationProvider are different objects because WKWebView
// makes a shallow copy of the config inside init, so every WKWebView
// owns a separate shallow copy of WKWebViewConfiguration.
if let url = navigationAction.request.url, url.isHttpBased() || url.isFileBased() || UIApplication.shared.canOpenURL(url) {
let newWebView = WKWebView(frame: CGRect.zero, configuration: configuration)
newWebView.customUserAgent = UserAgent.defaultUserAgent
self.delegate?.controller(self,
didSelectOpenInNewTabWithURL: navigationAction.request.url,
isPrivate: InPrivateModeHelper.isPrivateMode,
shouldOpenInBackground: false,
preConfiguredWebView: newWebView)
return newWebView
}
}
return nil
}
PoC代码:
<!DOCTYPE html>
<html>
<body>
<a href="https://humblehunter.io/temp/samesite.php">samesite</a>
<!-- <a href="https://humblehunter.io/temp/samesite.php" target=_blank>samesite</a> -->
<form action="https://humblehunter.io/temp/samesite.php" method="post" target="_blank">
<input type="text" name="username" value="abcd" hidden=true><br>
<input type="text" name="password" value="xyz" hidden=true><br>
<input type="submit" value="Submit">
</form>
</body>
</html>