Ionic 3 switching to WKWebView CORS time

Was hoping this would be smooth.
Because of remote working I was trying to find a way to test CORS just on the server side. The only thing that came up was run a Curl statement and see if headers are returned.

On a local version of the server added the following. (Some test code)

String origin = this.request.getHeader("Origin");
        log.debug("Mobile Origin is " + origin);
        this.response.setHeader("Access-Control-Allow-Origin", origin);

Ran curl against it and saw the headers returned.

Move the code up to a server that could access from an iphone. The iphone has the update web view code.

Problems I’m having:
In debugging the iphone through Safari
I get the error "“Origin ionic://localhost is not allow by Access-Control-Allow-Origin”
"XMLHttpRequest cannot load due to access control checks. "

Bug checking the server log output the Origin that is showing up is “” not ionic:localhost ?
Confused what is going on or where to fix it.
Added in allow-navigation href=“ionic://localhost” in config.xml but seems like that isn’t needed.

Where to do from here?


I do have a browser version of the mobile app (thanks Ionic).
Was able to verify that headers are being returned in the chrome call. I can see the network call and see headers. This would have because that’s the box I’m testing on.

  1. Access-Control-Allow-Credentials:


  1. Access-Control-Allow-Methods:


  1. Access-Control-Allow-Origin:

Still lost. Not even sure what to debug anymore.

Added the allowed headers access. Because this is a JSON Reset service could be doing a pre-flight even thought I can’t see that happening.
this.response.setHeader(“Access-Control-Allow-Headers”, “origin, content-type, accept”);

Finally out of desperation just changed the Origin to * all. Yet this is still failing on the iphone app.
“Origin ionic://localhost is not allowed by Access-Control-Allow-Origin”

That doesn’t make sense because I’m allow all.

From my server log.
Mobile Origin is ionic://localhost
Header set as *

I know its being returned.

I’m down trying to figure out if something else on webkit is not playing nice. Not sure if I need to add something to plist or any other settings to allow https web sites?

Any idea?

Still stuck –
Backend server is set up to allow all Orgins (Access-Control-Allow-Origin: *) just trying to get things to work.
Have a call that happens before login to check some security settings from the server. This does not pass any data up so no json compare to login. This was not getting blocked by any CORS.
I noticed that this other call works fine but the test login call with json is getting blocked. Realized this has to be the pre-flight path that is trying to getting called because my content type is JSON.

Can a person be even more stuck. I don’t know how to debug the pre-flight call/Options method. This seems to happen on server level and isn’t passed down to backend mobile code. Running a curl -X Options can not recreate the problem.

Any idea what else to try?

I’m also not sure if cookies are getting passed around correctly. I think that will be my next problems.

As with many topics, I think your best source of accessible and reliable information is MDN. Also, if you control the backend, any chance you can be convinced to use tokens instead of cookies?