WKWebView through an Azure AppProxy

Question

On one hand, we have a website that is published within an intranet (not accessible from the internet). To make it accessible, an Azure AppProxy has been configured.

On the other hand, we have an Android and an iOS mobile application that load this website in a webView.

As communications are made through the AppProxy, it is necessary to include an authentication header in all calls.

On Android it works fine, but on iOS, using WKWebView causes errors. The home of the website is loaded, but not the resources (js files, css files, ...). Currently we see that we have duplicate headers and CORS errors, and we can't identify what is the cause.

Does anyone have experience using WKWebView through an Azure AppProxy?

Answer 1

Sorry for the delay in responding as I had to work with various teams within to better understand into this issue.

Could you please ensure following has been updated for application:

• Client side, for XHR request, the ‘withCredentials’ property must be explicitly set to ‘true’.
• Client side, for Fetch, the ‘credentials’ property of settings must be explicitly set to ‘include’.
• Server side, ‘Access-Control-Allow-Credentials’ headers must be added and set to ‘true’.
The first two is to let the browser bring credentials while sending the request, in our case, the credentials are cookies.
The third one is to let the browser expose the response to the JavaScript, if credentials are sent, but the response does not contain this header, the request will fail.

Details can be found here: Understand and solve Azure Active Directory Application Proxy CORS issues | Microsoft Learn