158812 – [OSX, iOS] Need delegate API to modify requests before dispatching

Bug 158812 - [OSX, iOS] Need delegate API to modify requests before dispatching

Summary: [OSX, iOS] Need delegate API to modify requests before dispatching

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	Other
Hardware:	iPhone / iPad All

Importance:	P2 Blocker
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-06-15 15:05 PDT by Leo Natan
Modified:	2020-02-19 01:23 PST (History)
CC List:	6 users (show)

See Also:	138169

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Leo Natan 2016-06-15 15:05:08 PDT

We are working on a security application, where we need to modify requests to route them through our backend infrastructure, to access internal resources.

So a request for https://example.acme/path/to/resource would be modified to https://secure.acme.com/https://exmaple.acme/path/to/resource with some cookies added for session identification.

So far we have been using UIWebView on iOS, and we have setup NSURLProtocol to modify fields before they are dispatched by CFNetwork. 
We would like to move to WKWebView to take advantage of the new architecture. We need a way to modify requests at the client UI process, before they are dispatched to network. We need to modify fields such as URL and cookies.
 
 We understand this is not possible with out-of-process design, but we do believe some control should be give to the client UI process to control requests before dispatch.

We believe an API similar to -webView:decidePolicyForNavigationAction:decisionHandler: would be a good place to be able to modify the requests.

We discussed this with the WebKit guys at WWDC 2016, and we reached the conclusion to open this bug report.

Thanks

Comment 1 Maciej Stachowiak 2020-02-19 01:15:03 PST

Just top-level requests or subresource requests as well? It would be easier to support for top-level resources only. (A wacky version is possible by canceling the navigation in -webView:decidePolicyForNavigationAction:decisionHandler: and then issuing a new request).

And why do you want to do this? On the face of it, it seems like a Same Origin Policy bypass to reroute all websites to go to the same domain.

Comment 2 Leo Natan 2020-02-19 01:23:53 PST

The bug was opened with security SSLVPN products in mind, where VPN is not feasible/possible, but the administrator would like to have internal web applications not exposed to external networks. So a security gateway acts as a secure MITM to transfer specially crafted URLs, as given in the first comment for example, to internal resources. Since an admin cannot be expected to modify the web applications, and such applications might have absolute paths to resources, rather than relative ones, all resources should pass through such a theoretical system for augmentation. This is a pretty common usecase in security applications, and is not possible to achieve using WKWebView on iOS without using private API.