{"id":50352722,"url":"https://github.com/beuted/my-pwa","last_synced_at":"2026-05-29T21:30:46.795Z","repository":{"id":340809034,"uuid":"1167675115","full_name":"beuted/my-pwa","owner":"beuted","description":"test pwa for Criteo SOS","archived":false,"fork":false,"pushed_at":"2026-04-01T13:13:04.000Z","size":221,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-01T15:23:37.027Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/beuted.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-26T15:00:56.000Z","updated_at":"2026-04-01T13:13:08.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/beuted/my-pwa","commit_stats":null,"previous_names":["beuted/my-pwa"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/beuted/my-pwa","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beuted%2Fmy-pwa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beuted%2Fmy-pwa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beuted%2Fmy-pwa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beuted%2Fmy-pwa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/beuted","download_url":"https://codeload.github.com/beuted/my-pwa/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beuted%2Fmy-pwa/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33672124,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-29T02:00:06.066Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-29T21:30:46.671Z","updated_at":"2026-05-29T21:30:46.766Z","avatar_url":"https://github.com/beuted.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Whitelist Bug Reproduction\n\nThis repo builds **4 different iOS apps** to test how iframe navigation whitelisting behaves across frameworks and versions. The goal is to reproduce [cordova-plugin-whitelist issue #49](https://github.com/apache/cordova-plugin-whitelist/issues/49), where third-party iframes cause the app to redirect to Safari.\n\n## The 4 Apps\n\n| App                | Folder                          | Framework            | Whitelist mechanism                                          | Build workflow                 |\n| ------------------ | ------------------------------- | -------------------- | ------------------------------------------------------------ | ------------------------------ |\n| **Cordova 6.1.0**  | `cordova-issue-reproduction/`   | cordova-ios@6.1.0    | `\u003callow-navigation\u003e` via `cordova-plugin-whitelist`          | `build-cordova-ios.yml`        |\n| **Cordova Latest** | `cordova-latest-reproduction/`  | cordova-ios (latest) | `\u003callow-navigation\u003e` via `cordova-plugin-whitelist`          | `build-cordova-latest-ios.yml` |\n| **Capacitor**      | `capacitor-issue-reproduction/` | @capacitor/ios@8.x   | `server.allowNavigation` in `capacitor.config.json`          | `build-ios.yml`                |\n| **WKWebView**      | `webview-issue-reproduction/`   | Native Swift/WKWebView | Custom `WKNavigationDelegate` intercepting iframe navigations | `build-webview-ios.yml`        |\n\nEach app has the same test UI:\n\n- A button to inject an **example.com** iframe (whitelisted ✅)\n- A button to inject a **wikipedia.org** iframe (NOT whitelisted ❌)\n- A button to inject both\n\n## Results\n\n| App                | iframe blocked?                                                              | Opens Safari?     |\n| ------------------ | ---------------------------------------------------------------------------- | ----------------- |\n| **Cordova 6.1.0**  | ✅ Yes — non-whitelisted iframes trigger Safari redirect                     | ✅ Bug reproduced |\n| **Cordova Latest** | ❌ No — `cordova-plugin-whitelist` is deprecated/ignored in cordova-ios 7.x+ | ❌ No bug         |\n| **Capacitor**      | ❌ No — `allowNavigation` only controls top-level navigation, not iframes    | ❌ No bug         |\n| **WKWebView**      | ✅ Yes — custom native delegate intercepts iframe navigations                | ✅ Bug reproduced |\n\n## Why the bug only occurs on Cordova 6.x\n\nIn **cordova-ios 6.x**, the [`cordova-plugin-whitelist`](https://github.com/apache/cordova-plugin-whitelist) plugin installs a native `WKNavigationDelegate` (`CDVIntentAndNavigationFilter`) that intercepts **all** navigation requests — including **sub-frame (iframe)** loads. When an iframe tries to load a URL that doesn't match any `\u003callow-navigation\u003e` entry in `config.xml`, the delegate calls `UIApplication.openURL`, which hands the URL off to Safari. This is the root cause of the bug: a simple third-party iframe (e.g. from GTM or an ad tag) can kick the user out of the app entirely.\n\nIn **cordova-ios 7.x+** (released [July 2023](https://cordova.apache.org/announcements/2023/07/10/cordova-ios-7.0.0.html)), `cordova-plugin-whitelist` was [deprecated and archived](https://github.com/apache/cordova-plugin-whitelist#deprecation-notice). The allow-list functionality was reworked and integrated into the core of Cordova itself. The key behavioral change is that the built-in navigation policy only intercepts **top-level (main frame)** navigations — iframes are no longer subject to the whitelist check, so they load freely without triggering a Safari redirect.\n\nIn **Capacitor**, the [`server.allowNavigation`](https://capacitorjs.com/docs/config#server) config option similarly only controls **top-level WebView navigation**. Iframes are not intercepted by the navigation delegate, so they always load inside the app regardless of the allowNavigation list.\n\nThe **WKWebView wrapper** app proves this isn't a Cordova-specific issue. The whitelist logic is implemented in [`webview-issue-reproduction/Sources/ViewController.swift`](webview-issue-reproduction/Sources/ViewController.swift) (lines 46–85) via `WKNavigationDelegate.decidePolicyFor`. The key behavior:\n\n1. **Line 9**: Only `example.com` is in the `allowedNavigationDomains` whitelist\n2. **Line 66**: Checks if the navigation is a sub-frame (iframe) via `targetFrame?.isMainFrame == false`\n3. **Lines 68–70**: If the iframe domain is whitelisted → `decisionHandler(.allow)` → loads inside the app\n4. **Lines 72–74**: If **not** whitelisted → `decisionHandler(.cancel)` + `UIApplication.shared.open(url)` → **opens Safari**\n\nAny native app that implements this pattern — intercepting sub-frame navigations and opening non-whitelisted URLs externally — will exhibit the same bug.\n\n### Summary\n\n| Framework                                      | Intercepts iframe navigations?                | Bug occurs? |\n| ---------------------------------------------- | --------------------------------------------- | ----------- |\n| cordova-ios 6.x + `cordova-plugin-whitelist`   | ✅ Yes — all navigations including sub-frames | ✅ Yes      |\n| cordova-ios 7.x+ (whitelist plugin deprecated) | ❌ No — top-level only                        | ❌ No       |\n| Capacitor 8.x                                  | ❌ No — top-level only                        | ❌ No       |\n| Native WKWebView with custom delegate           | ✅ Yes — intentionally reproduces the pattern | ✅ Yes      |\n\n## Project Structure\n\n```\nmy-pwa/\n├── cordova-issue-reproduction/       # Cordova 6.1.0 app\n│   ├── config.xml\n│   ├── configs/                      # Config variants for testing\n│   └── www/                          # Web assets\n├── cordova-latest-reproduction/      # Cordova latest app\n│   ├── config.xml\n│   ├── configs/\n│   └── www/\n├── capacitor-issue-reproduction/     # Capacitor 8.x app\n│   ├── capacitor.config.json\n│   ├── ios/                          # Xcode project\n│   └── *.html, *.js, *.css          # Web assets\n├── webview-issue-reproduction/       # Native WKWebView wrapper\n│   ├── project.yml                   # XcodeGen spec\n│   ├── Sources/                      # Swift source (AppDelegate, ViewController)\n│   └── Resources/\n│       ├── Info.plist\n│       └── www/                      # Web assets\n└── .github/workflows/\n    ├── build-cordova-ios.yml         # Builds cordova-ios@6.1.0\n    ├── build-cordova-latest-ios.yml  # Builds latest cordova-ios\n    ├── build-ios.yml                 # Builds Capacitor app\n    └── build-webview-ios.yml         # Builds WKWebView wrapper\n```\n\n## Downloading the IPAs\n\nGithub actions allow to build IPA by running on macos instances ! That's why it's handy to have this repository on github.\n\n1. Go to the **Actions** tab in GitHub\n2. Click the relevant workflow run\n3. Download the artifact:\n   - `cordova-6.1.0-whitelist-bug-default`\n   - `cordova-latest-whitelist-bug-default`\n   - `capacitor-whitelist-bug-unsigned`\n   - `webview-whitelist-bug-unsigned`\n\n### Installing on Saucelab\n\n- Connect to [Saucelab](https://app.eu-central-1.saucelabs.com/) on the EU Central 1 DC\n- Add the .ipa in the \"App Management\" tab\n- Go to \"Get Started Guide\" \u003e \"Manual testing\" \u003e \"Mobile app\"\n- Choose the uploaded .ipa and an IOS device\n- Click \"Start test\"\n\n### Installing on a Real Device\n\nThe `.ipa` files are unsigned. To install on a physical iPhone, use:\n\n- [AltStore](https://altstore.io/)\n- [Sideloadly](https://sideloadly.io/)\n\n## Setting Up a New GitHub Repository\n\nIf you want to fork or push this to your own GitHub repository:\n\n### 1. Clone the repo\n\n```bash\ngit clone https://github.com/beuted/my-pwa.git\ncd my-pwa\n```\n\n### 2. Create a new GitHub repository\n\nGo to [github.com/new](https://github.com/new) and create a new repository. Do **not** initialize it with a README or `.gitignore`.\n\n### 3. Change the remote and push\n\n```bash\ngit remote set-url origin git@github.com:\u003cyour-username\u003e/\u003cyour-repo\u003e.git\ngit push -u origin main\n```\n\n### 4. Verify the builds\n\n1. Go to the **Actions** tab in your new repository\n2. The workflows should trigger automatically on push\n3. If not, trigger them manually via **Run workflow**\n4. Once complete, download the `.ipa` artifacts from each workflow run\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbeuted%2Fmy-pwa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbeuted%2Fmy-pwa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbeuted%2Fmy-pwa/lists"}