We are developers working on ways to empower users on the Web and help them protect their privacy. Based on our collective experience of creating privacy-preserving technologies for iOS, we have collected and curated a list of the most pressing short-comings of WKWebView (i.e. WebKit WebView). If addressed, these have the potential to positively impact the ecosystem at large, and benefit all users.
Our hope is that this work, supported by some of the most well-known companies acting in the privacy field, will help Apple and the WebKit community prioritize their effort and identify which improvements would be the most impactful.
The following list is the first iteration of our work, and we would like to invite more parties to collaborate on this in the future. We also wish to engage in a fruitful collaboration with Apple and WebKit engineers to help move the ecosystem forward, in a way that benefits all users.
- No way to set cookie accept policy: https://bugs.webkit.org/show_bug.cgi?id=140205
- Can we have ITP in apps?: https://bugs.webkit.org/show_bug.cgi?id=201563
- Only one persistant data store possible: https://bugs.webkit.org/show_bug.cgi?id=140201
- WKWebsiteDataRecord metadata: https://bugs.webkit.org/show_bug.cgi?id=206742
- Cookies currently do not sync properly from WKWebView to HTTPCookieStorage or WKHTTPCookieStore https://bugs.webkit.org/show_bug.cgi?id=207546
- No control over referrers. ITP provides some protection but apps cannot override. https://bugs.webkit.org/show_bug.cgi?id=206521
- No way to observe individual (and modify) webrequests from webview: https://bugs.webkit.org/show_bug.cgi?id=138169, https://bugs.webkit.org/show_bug.cgi?id=205718 https://bugs.webkit.org/show_bug.cgi?id=207542
- Iframe messaging https://bugs.webkit.org/show_bug.cgi?id=204557
- Lack of callbacks https://bugs.webkit.org/show_bug.cgi?id=134330, https://bugs.webkit.org/show_bug.cgi?id=205239
- Sandboxing https://bugs.webkit.org/show_bug.cgi?id=205717
- No way to remove an individual user scripts https://bugs.webkit.org/show_bug.cgi?id=207544
- Relax block list limits https://bugs.webkit.org/show_bug.cgi?id=205719
- Introspection https://bugs.webkit.org/show_bug.cgi?id=205720
- Issues with cosmetics not triggering correctly: https://bugs.webkit.org/show_bug.cgi?id=151702, https://bugs.webkit.org/show_bug.cgi?id=162057
- Cannot count blocked requests: https://bugs.webkit.org/show_bug.cgi?id=151815, https://bugs.webkit.org/show_bug.cgi?id=152598
- There is no way to detect that content blocker contains errors: https://bugs.webkit.org/show_bug.cgi?id=151856
- No "subdocument" resource type: https://bugs.webkit.org/show_bug.cgi?id=153559
- No "xmlhttprequest" resource type: https://bugs.webkit.org/show_bug.cgi?id=154811
- Loadtype "third-party" does not match the commonly-used definition in blocklist: https://bugs.webkit.org/show_bug.cgi?id=171202
- ContentBlocker rules does not allow you to specify ThirdParty cookies for being blocked https://bugs.webkit.org/show_bug.cgi?id=207543
- IndexDB and LocalStorage can only be blocked via Injection of Javascript https://bugs.webkit.org/show_bug.cgi?id=207545
- Restrictions on regex you can use (i.e. or's) https://bugs.webkit.org/show_bug.cgi?id=207539
- Allow mix and match domain limiters (i.e. if-domain & if-top-url) https://bugs.webkit.org/show_bug.cgi?id=207540
- WKWebView has SafeBrowsing, but it's private and for Safari only https://bugs.webkit.org/show_bug.cgi?id=196161
- Disable Universal Links: https://bugs.webkit.org/show_bug.cgi?id=158496
- No Service Workers support: https://bugs.webkit.org/show_bug.cgi?id=206741
Same list in spreadsheet form with some additional metadata: https://docs.google.com/spreadsheets/d/1FNLdH9sSOAS1X_Q72Ojg2z0-YuqC9QKXm5g0uzWpBic/edit?usp=sharing