Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug]: Desktop App not working for MacOs (cookies, cross-site-tracking) #4037

Open
1 task done
mkohns opened this issue May 6, 2024 · 5 comments
Open
1 task done

[bug]: Desktop App not working for MacOs (cookies, cross-site-tracking) #4037

mkohns opened this issue May 6, 2024 · 5 comments
Labels
bug Something isn't working desktop need testing Needs to be tested before merging onto production

Comments

@mkohns
Copy link

mkohns commented May 6, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current behavior

The WebKit used by MacOS defaults to prevent any cookie cross-site-tracking. This prevents the desktop app to access a self hosted backend in non-dev enviroments. This is due to the fact that the tauri://localhost is first-class site and the backend ist hosted somewhere else. On Windows the WebKit does not have this issue but is marked for soon deprecation. The DevTools already point this out with a warning message.

Steps to reproduce

Build the desktop app on MacOs with self hosted backend.

Environment

Production

Version

Self-hosted
@mkohns mkohns added bug Something isn't working need testing Needs to be tested before merging onto production labels May 6, 2024
@mkohns
Copy link
Author

mkohns commented May 6, 2024
edited

I dived quite deeply into this topic and learned a lot about what is really going on here. I have some solutions implemented with different security impacts. I am quite unsure about which way is planed for hoppscotch.
My current suggestion:

Implement different auth for windows and macos

1.) MacOs: use localstorage + JWT Bearer in Auth header. . This could be considered to be safe as in MacOs Webkit the localstorage is partioned and only accessable for the page who created the entry.
2.) Windows: use new partioned cookies as recommened by google as the localstorage will be not partioned.

This is working seemless on my fork.

I would like to talk to someone about all this before creating a PR.

@SanskritiHarmukh
Copy link

Hi @mkohns , we're actively working on this issue. We expect it to be resolved by the end of the month with the upcoming release of our revamped desktop app.

@mkohns
Copy link
Author

mkohns commented May 6, 2024

Hey this sounds great. Do you have some more details what will be revamped?

@SanskritiHarmukh
Copy link

@AndrewBastin will be able to give more insights on this.

@mkohns
Copy link
Author

mkohns commented May 7, 2024

Hey @AndrewBastin nice to meet you!
Cool to hear that you are making revamping enhancements to the desktop app.
I also played around with the tauri + backend to get JWT Bearer working instead of cookies for Mac.
Could you give me some hints which major changes you are planning to do?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working desktop need testing Needs to be tested before merging onto production
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mkohns @JoelJacobStephen @SanskritiHarmukh