Support allowNavigation without injecting Capacitor code

[mhjam]

I'd like to ask whether it would be welcome to make the current handling of allowNavigation and script injection optional? The handleProxyRequest method in WebViewLocalServer has limitations with respect to redirects and cookies, so that it does not work well with all sites. On the other hand, it is possible that we would like to open a URL within the app, but do not need Capacitor integration for this other site at all.

I could figure either a global flag in capacitor.config.json that switches off the proxy for all entries in allowNavigation, or support (in addition to the current array of strings) an array of JSON objects like {"url": "www.example.com", "injectJs": "true"}.

I would be happy to provide a PR if this proposal is welcome.

[mlynch]

Sounds reasonable, might be good to support globs or something so you could do that for a collection or URLs?

[BobTape]

"allowNavigation": [
{"url": "*.example.com", "injectJs": "false"},
{"url": "192.168.0.1", "injectJs": "true"},
"192.168.0.1" // current syntax still supported of course, same as above
]

can be ok.

[mhjam]

@mlynch I think I can try that. I figure I could filter the list for entries with injectJs = true and let only those be handled like they currently are.

So users would be able to write something like

"allowNavigation": [
  {"url": "*.example.com", "injectJs": "false"},
  {"url": "192.168.0.1", "injectJs": "true"},
  "192.168.0.1" // current syntax still supported of course, same as above
]

Ok?

[jcesarmobile]

On iOS this can’t be done because the JavaScript is injected in the webview.
Also I’m not in favor of loading external sites inside the Capacitor app that don’t require Capacitor, if you don’t require it, probably shouldn’t load them inside the app but use browser plugin or the device browser.

[aagavin]

One example of were we'd like to open external sites inside the same webview as the app is when an external auth provider(eg. auth0) is used. Users shouldn't redirected to a browser to login an then be forced to open the app again.

@jcesarmobile is there a better way of doing this?

[DaanWasscher]

Specifically on Android I am having a similar problem. I redirect the webview to an external authentication provider. That providers domain is in the allowNavigation array, so it goes through the proxy.

My problem is not with the js injection but that the (Android) proxy does not process the set-cookie header of the response. My authentication provider relies on a session cookie between redirects which on Android does not get stored.

My issue would be solved by having an option in the allowNavigation array to exclude my domain from the proxy (as proposed by @mhjam) or handling the set-cookie header inside the proxy.

[mhjam]

I am sorry for not coming back to this issue earlier. Unfortunately, chances are pretty low that I will be able to provide a PR in the foreseeable future. Reasons are:

• I acknowledge that it is unclear how a compatible implementation for iOS should look like, as @jcesarmobile pointed out on May 26 last year.
• My customer meanwhile turned away from Capacitor for their Android App and is using a Trusted Web Activity instead, which I believe is indeed the better solution for our use case. We are still using Capacitor for the iOS app for lack of a TWA equivalent there, but on iOS we have no problems with the script injection.

[BobTape]

Hi capacitor team, what about this update?
I try to make login with keycloak and i have trouble with break capacitor when im redirect to on keycloak login page. (when i allow keycloak in capacitor.config.json with allowNavigation)

After it when im back and logged in, app lose capacitor interface. with no way to restart it wihout loggoff.
I need chose when load and when not.
Thanx.