WKWebview [Warning] [blocked] The page at https://www.myurl.com was not allowed to display insecure content from mycustomscheme://?path=somepath

Question

I've recently replaced my UIWebview to a WKWebview in my hybrid app. I'm using a custom scheme to load images from the native part of the app as it's recommended by Apple here: https://developer.apple.com/videos/play/wwdc2017/220/

I'm loading the images from a url that look like mycustomscheme://?path=somepath

I've added Content-Security-Policy header to allow for the mixed content, and it looks like this (irrelevant parts were removed):

Content-Security-Policy: default-src 'self' www.myurl.com ; img-src 'self' mycustomscheme: ; script-src 'self' 'unsafe-inline' 'unsafe-eval' ; report-uri https://www.myreporturl.com/

This works for most devices and lets the request to mycustomscheme go through, and report to myreporturl if anything was blocked. However, on some devices the custom requests are blocked with this error: [Warning] [blocked] The page at https://www.myurl.com was not allowed to display insecure content from mycustomscheme://?path=somepath and no report is being sent to myreporturl, as if the header was not loaded at all.

I've confirms that the header is actually sent, and that the problematic devices are running the latest iOS (12.1.4).

Any advice on how to prevent my custom requests from getting blocked would be much appreciated!

Answer 1

Try the following for loading image policy:

img-src 'self' 'unsafe-inline' 'unsafe-eval' data: http: https: mycustomscheme: filesystem: file:;