Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Dynamics SDK for iOS 8.0
  3. BlackBerry Dynamics SDK for iOS Release Notes
  4. WKWebView known limitations

WKWebView known limitations

The 
BlackBerry Dynamics SDK for iOS
 version 4.2 and later supports WKWebView for 
iOS
 11 or later, but not all HTTP and HTML features are supported. The table below lists the known limitations. In general, you may encounter some of these feature limitations with HTML, CSS, and 
JavaScript
 that are downloaded from a web server, rendered, and run in your application's WebView.
Note that the 
BlackBerry Dynamics Runtime
 has its own handlers that send HTTP over its secure infrastructure. These are registered as WKWebView custom handlers so that HTTP traffic from a WKWebView instance is redirected to the 
BlackBerry Dynamics
 infrastructure. These custom handlers are relevant to many of the limitations detailed below.
Limitation
Description
CSP reports
Content Security Policy (CSP) is a security feature for websites. For more information, visit https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP.
  1. An HTTP client (for example, a browser) requests a web page from a server.
  2. In the response, the web server includes CSP settings in the HTTP headers. For example, the policy could specify a list of domains to retrieve image files from.
  3. The client checks the policy as it makes further resource requests to render the web page. For example, the client could check the domain of a CSS background image.
  4. If there is a violation of the policy, the client may be required to send a CSP report to a receiver that is specified in the policy. CSP reports are sent by HTTP.
WKWebView sends CSP reports using the native system HTTP handlers, not with custom handlers. As a result, any of the following could occur:
  • The address and content of the CSP report could be leaked.
  • If the receiver is behind the corporate firewall, the CSP report may not be received. 
JavaScript
 beacon
The 
JavaScript
 Navigator send beacon command, 
Navigator.sendBeacon()
, sends a small amount of data asynchronously. This data supports analytic data gathering when a web page is unloaded. For more information, visit https://developer.mozilla.org/en-US/docs/Web/API/Navigator/sendBeacon.
WKWebView sends beacon data using the native system HTTP handlers. As a result, any of the following could occur:
  • The address and content of the beacon could be leaked.
  • If the receiver is behind the corporate firewall, the beacon data may not be received.
OCSP requests
The Online Certificate Status Protocol (OCSP) is a system that can be used to check the revocation of electronic certificates. The address of an OCSP responder can be signed into an electronic certificate. Any recipient of the certificate can verify whether the certificate has been revoked by sending an OCSP request to the responder. For more information, visit https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol.
OCSP requests originate in low-level 
iOS
 system services for handling certificates, keys, and trust. For a description of these services, visit https://developer.apple.com/documentation/security/certificate_key_and_trust_services.
HTTP communication in the following scenarios can use these services:
  • BlackBerry Dynamics
     secure communication, if use of the device certificate store is permitted by the enterprise policy
  • Native communication, including, for example, CSP reports that were not diverted to 
    BlackBerry Dynamics
As a result, any of the following could occur:
  • The address and content of the OCSP request could be leaked. The content would include limited details. For example, a whole URL would not be included, just the server address.
  • If the receiver is behind the corporate firewall, the OCSP request may not be received. OCSP responders are often open to the Internet, so the status of revoked certificates is generally accessible.
Ping tracking messages
The 
ping
 attribute can be added to HTML anchor and area elements (for example, 
<a>
 and 
<area>
). The ping attribute can contain a list of URL values. An HTTP POST request will be sent to all of the URLs when the hyperlink associated with the anchor or area is followed. The content of the ping message is always “PING”. For more information, visit https://developer.mozilla.org/en-US7/docs/Web/HTML/Element/a.
WKWebView sends ping messages using the native system HTTP handlers, not with custom handlers. As a result, any of the following could occur:
  • The address of the ping receiver could be leaked.
  • If the receiver is behind the corporate firewall, the ping message may not be received. 
Special links
HTML supports many special link types. For a list of link types, visit https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types.
WKWebView might follow, open, or otherwise communicate with these links in a way that bypasses custom HTTP handlers, which could result in data leakage. For example, a preconnect link is a hint to the browser to open a connection to a specified server. The connection may be opened when the page that contains the link is loaded, but no data is sent at that time. 
Resource integrity checking with an Origin header
WKWebView has a PingLoader module that can make an integrity check on embedded resources if an Origin header was present in the HTTP response that delivered the containing page. The integrity check sends the whole resource to the server that is specified in the Origin header. For more details about the HTTP Origin header, visit https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin.
WKWebView sends PingLoader integrity checks using the native system HTTP handlers, not with custom handlers. As a result, any of the following could occur:
  • The address of the Origin server could be leaked.
  • The content of the resource that is being checked could be leaked.
  • If the receiver is behind the corporate firewall, the integrity check request may not be received. 
JavaScript
 Fetch API
The 
JavaScript
 Fetch API is a programming interface that can be used to execute standalone HTTP requests. It is a recent addition and a significant upgrade compared to XmlHttpRequest (XHR). For more information about this API, visit https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API.
The 
BlackBerry Dynamics
 integration with WKWebView involves the injection of code to manipulate some 
JavaScript
 class prototypes. The manipulation implements a "bridge" for the body of an HTTP request from the 
JavaScript
 layer to the secure communication infrastructure. 
JavaScript
 prototype manipulation is similar to Objective-C method exchange (aka swizzling). The 
BlackBerry Dynamics SDK
 supports the Fetch API.
Known issue with video playback
There is a known issue with how WKWebView handles MP4 video with the H.265/HEVC codec. The issue is common to lower-powered 
iOS
 devices and is not specific to the 
BlackBerry Dynamics
 integration. For more information, see https://apple.stackexchange.com/questions/227443/possible-to-play-hevcx265-fileson-ipad.
Known issue with uploading files from outside the secure store 
There is a known issue with copies being made of files that are selected for upload. The issue is limited to files that exist outside of the 
BlackBerry Dynamics
 secure store.
WKWebView has a built-in file selector UI. For example, the UI could be opened from an input field of type file in an HTML form. WKWebView makes a copy of any file selected for upload using this UI, presumably because the original could be deleted before the upload has completed. The copy isn’t in the 
BlackBerry Dynamics
 secure store, and as a result, is not protected.
The file copy might appear to be a data leakage, but files in the 
BlackBerry Dynamics
 secure store are not in scope of this UI. Any file that was copied would have already been leaked or was never stored in the 
BlackBerry Dynamics
 container.