disable web security on mobile browser ios - iphone

I have been searching around for a bit and cant find any solution to this question.
I need to run a browser on an iPAD that allows cross-origin policy to be bypassed. This is easily achieved with a windows machine by launching lets say chrome with --disable-web-security I have read that Phonegap allows this but the app is already in place.
Ill take any solution including jailbreak's

I'm not aware of any official ways to do this.
If you rely on cookies, the alternative would be to read every header to every response and manually assign received cookies to different domains (the downside to this is that you must know the other domains to be used beforehand). For handling cookies, check out [NSHTTPCookieStorage sharedHTTPCookieStorage], the default storage for native apps.

Related

WKWebView http -> https redirection for iOS 10 ATS Compliance

iOS 10 has foisted https upon us and totally broken an application I'm developing. The application is partly an RSS reader. The URLs we get from the RSS feeds are often HTTP URLs, both for the sites, and the metadata images. These HTTP URLs are redirected to the https versions when available just fine in safari and SFSafariViewController. However, when using WKWebView, this redirection does not happen. The OS just blocks the non-https load altogether. If I try to hack around the issue by swapping "http" for "https" in the URL, often the sites break as they load their images, CSS and JavaScript from HTTP CDNs and those requests get blocked too. How can I get the same behavior in WKWebView as seen in Safari? Is there a configuration I can set? It seems crazy to me that Apple would make this change and just break clients using WKWebView.
P.S. Facebook is able to work around this somehow. I can't tell if it's a heavily hacked SFSafariViewController or they've somehow made the web view work. Does anyone know how they've accomplished this?
Use NSAllowsArbitraryLoads. The key is still available for use; Apple just wants to make sure you have a good reason to use it. Displaying external content inside your app qualifies as such. Once the Apple ATS rules go into effect, you will need to provide an explanation why you need it, and why NSAllowsArbitraryLoadsInWebContent is not enough. Since you already have answers for that, there should be no problem getting your app pass the review process with NSAllowsArbitraryLoads.
As a note, Apple has postponed ATS requirement and will not go into effect in January 2017.
After digging around in Apple's documentation here I found the new NSAllowsArbitraryLoadsInWebContent key. This fixes the issue for WKWebView, though frustratingly fetching images over http is still problematic. I'll probably end up having to proxy them through my own server.
While you can simply use NSAllowsArbitraryLoads' to globally turn off at transport security, this is not ideal, and will be more likely to be rejected by Apple without hey really rock solid justification.
A better solution, which will provide the correct behavior in both iOS 9 and iOS 10, is to put both NSAllowsArbitraryLoads and NSAllowsArbitraryLoadsInWebContent in your info.plist. Because iOS 9 does not acknowledge the NSAllowsArbitraryLoadsInWebContent, It will honor the NSAllowsArbitraryLoads, effectively turning off at transport security in iOS 9 devices for your app.
In iOS 10, if you include the NSAllowsArbitraryLoadsInWebContent'key, iOS will ignore the NSAllowsArbitraryLoads setting, only disabling app transport security only in web views in your app. This will mean your app is much more secure in iOS 10, which I believe will make apple more likely to except your justification for the use of your app transport security exceptions
Edit: My below answer is incorrect. It does not work for sites which return XSL, for example RSS feeds hosted on feedburner. I was unable to find a solution for this, so unfortunately I am going back to enabling arbitrary loads.
Our app also has a generic RSS reader feature in it. We want to use ATS for better security and to be in compliance with Apple. In addition, disabling it is considered a high risk by many enterprise clients. As such, enabling "Allow Arbitrary Loads" is not a valid option for us.
For now, we've made the best of this by doing two things:
1. Enabling Allow Arbitrary Loads in Web Content. We also have a generic webview which displays customer content.
2. Using a non-visible WKWebView to load an RSS feed, then extracting the HTML from the webpage and parsing the XML. I've created a gist for that here
Somehow, this terrible hack seems to suit our purposes, for now.
It would be great to have a solution that allows you to override transport security at the URL session level.

Can PWA share state/data between browsers?

If I have multiple browsers, can PWA share states or data? For example if I’m offline and I interact with the app on Firefox, save some data, etc. Can I access that same data when I open the app in Chrome? I tried it with https://voice-memos.appspot.com/ but it doesn’t work. Perhaps an unimplemented feature?
No, you can't. The browsers implement the cache in different ways, they store the data in different directories, etc..
Browsers have their own private storage for web apps, and there's no API designed specifically for direct, seamless cross-browser data sharing, so only workarounds are available.
When online you can share the data by synchronizing it via a server. This may even be near-realtime with the help of SSE/WebSockets or push notifications.
When offline I don't think you can in any sensible way. You could instruct the user download a file in one app and select it in a file picker in another app (or use drag'n'drop or copy'n'paste). Maybe (I haven't tested) you could establish WebRTC data connection between browsers while online and it'd survive going offline if the direct p2p connection was made over loopback/LAN.

HTML5 Storage between browsers (on an iphone)?

Is there any way to have localstorage persist across browsers? I have a system that uses localstorage to track which iphone is accessing my system (it's a controlled environment), but I would like it to work regardless of the browser - if they register their phone using Safari, I want to know the registration key that gets stored (currently using localstorage) even if they use a different browser.
Is this possible? Is there another way to do it?
No, localStorage is local storage for the current domain and only accessible on the particular browser implementation. It will not and can not ever be used across browsers or devices or different domains.
You need to store the key on a server somewhere, so that the different browsers can both access it. Or perhaps there is some native feature for iOS that both browsers can access, but i wouldn't know about that kind of thing.

Accessing Video Content ONLY through an iOS App - How would I do that

I've got a client that wants to have a paid app providing his video instructional content on iOS, but of course we dont want people simply getting the video content directly without paying for the app.
Is there some simple way of doing this that I'm overlooking? He wants the content streamed so he can add content easily and periodically without app updates.
Perhaps using Youtube but having the videos password protected? Is there a service anyone has used with an appropriate iOS API that anyone has heard of?
I've never done this before, but you could do some kind of token exchange based on the device ID. When the app is first used, register the device ID with the content server, and use that in combination with a salted hash of some kind to identify the device when requesting the media from the server.
I'm considering two options right now.
1- Following this post (roughly) In iOS, how would you programmatically pass a username / password to a secure site and essentially doing a combination of .htaccess for password protection, leveraging robots.txt to prevent search engines from indexing the videos, and obfuscating the video names. I've got to research the password protection of the video directory and how exactly to do that... but it seems the simplest. The downside is the clear text password.
2- A slightly more sophisticated method where I use oAuth to authenticate against but really following the first path, and potentially leveraging http://maniacdev.com/2010/09/new-open-source-oauth-library-for-easy-authentication-on-ios-devices-from-google/ to help in writing the oAuth piece.
a third possibly prohibitively expensive option is to look at the HTTP live streaming in OSX server https://developer.apple.com/streaming/
How do you guys think these options sound? Are there others I'm not considering?

What is good way to register users from phone app

We have a web application and we've built phone applications (iPhone, Android, BlackBerry) to be companions to the site. The usual workflow is that an existing user of the site gets a phone app and then plugs their existing credentials into the phone app and they are off and running, but more often now we are seeing folks who are downloading the app and then (and this should not surprise anyone) don't read the help screen that explains they need to go and get credentials at the web site and therefore cannot connect to the application which does require registration to manage their content. This is a giant usability fail condition.
So we know that we need to put user registration workflows on the phone app.
Other than the obvious solution of duplicating our registration page on the mobile, does anyone know of a better identity solution for the phone? For example, on the desktop we also use Facebook Connect as an identity server and the users love it. I'm looking for something that simple that we can implement across the major smartphone platforms.
Clarifying note:
I should add here that this registration mechanism is likely to; and it would be desirable if it did, go hand in hand with a general identity/authorization mechanism such as the Facebook mechanism mentioned below.
One other place I'm poking around is to see whether there's an openId solution that does not require a browser to pop up.
Restful service might be the e asiest way for you to achieve this, you can use it on any device that can make http requests, so you can make your own login screens and talk to the s ervice that way...
Facebook has a Connect API for the iPhone. Integrating it into your iPhone app is very smooth.
http://developers.facebook.com/connect_iphone.php
On the BlackBerry we were able to build a fairly robust REST pipeline between the client apps in the field and our servers. We primary use the framework for updates, but the device API is generic enough to be able to build almost anything you need via standard HTTP/HTTPS GET/POST calls.
On the RIM platform, look into the HttpConnection API as a starting point. There is also an example on the BlackBerry Developer's site which will help. Finally, I believe there are several examples inside the sample package that comes with every BlackBerry JDE (IDE + API download).