Bug 259861
| Summary: | [iOS] Attempting to load Wallet pass from api.americaspharmacy.com results in Safari showing a failure alert | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | andy <planetman1125> |
| Component: | Page Loading | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED INVALID | ||
| Severity: | Normal | CC: | a_protyasha, ap, beidson, karlcow, planetman1125 |
| Priority: | P2 | ||
| Version: | Other | ||
| Hardware: | iPhone / iPad | ||
| OS: | iOS 16 | ||
| URL: | https://api.americaspharmacy.com/wallet/samsclub-card-pass | ||
andy
Steps to reproduce
Go to any WebKit broswer
Then go to https://api.americaspharmacy.com/wallet/samsclub-card-pass
Website fails to load
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
andy
This only fails on iOS
Alexey Proskuryakov
When this website sees an iOS user agent, it attempts to provide a Wallet pass instead of an HTML document that it sends to other browsers.
$ curl -i 'https://api.americaspharmacy.com/wallet/samsclub-card-pass' --header 'User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1'
HTTP/1.1 200 OK
Date: Wed, 09 Aug 2023 17:41:47 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Powered-By: Express
Content-Type: application/vnd.apple.pkpass
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: frame-ancestors 'self' *.medimpact.com;
Transfer-Encoding: chunked
Not yet certain if this is a bug in Safari or WebKit, or something wrong with the website. But this explains why the behavior is different between iOS and desktop.
Alexey Proskuryakov
I can see that the Wallet pass being downloaded is signed with an expired certificate, and that's what is almost certainly causing the problem.
The UI could be better, but any UI enhancement in this area would be in Safari, outside the WebKit open source project.