I'm maintaining an app on the App Store which is free for end-users but pays for itself with ads (which we sell ourselves as opposed to getting random ads via Google). The ads are displayed in a WKWebView that fetches a webpage on our own server that contains the ad. We use Revive Adserver to count views and clicks.
One presumptive advertiser is insisting that they be able to track the clicks for the ad campaign's effect themselves (views and clicks), which means the webpage needs to load a javascript from www.googletagservices.com – but it appears that WKWebView disallows javascript from domains other than the webpage's own domain for privacy and security purposes. When opening the Web Inspector for the ad page, I get error messages saying Blocked a frame with origin "https://ad.doubleclick.net" from accessing a frame with origin "https://www.ourdomain.com". Protocols, domains, and ports must match. While not the www.googletagservices.com domain, my understanding is that these messages are reflective of the same underlying issue.
I have read the documentation for WKWebView and searched for ways to allow an exemption for a specific domain/javascript in order to meet the advertiser's demands, but have so far come up with none. My tentative conclusion is that there is no way of doing this.
The things I've tried are all over the place, but in general I've tried everything that could potentially allow a javascript to run. What's weird is the the Android app does not have this issue – weird because this 'same-origin policy' seems pretty much standard across browsers.
I've looked at SecurityError: Blocked a frame with origin from accessing a cross-origin frame, but as we (sadly) don't control Google's domains, it seems unfeasible.
From what I understand, WKUserScript is meant for running scripts that you control yourself – which obviously can't be said about the scripts from Google.
Here's the configuration of the WKWebView:
lazy var webView: WKWebView = {
let config = WKWebViewConfiguration()
config.preferences.setValue(true, forKey: "developerExtrasEnabled") // This row was added while trying workarounds
config.preferences.javaScriptEnabled = true // This row was added while trying workarounds
let someWebView = WKWebView(frame: self.view.frame, configuration: config)
someWebView.scrollView.isScrollEnabled = false
someWebView.navigationDelegate = self
someWebView.translatesAutoresizingMaskIntoConstraints = false
let footerURL = URL(string: "https://www.ourdomain.com/banners/ios/footer.php")!
let request = URLRequest(url: footerURL)
someWebView.load(request)
return someWebView
}()
I'll admit that my understanding of the issue at hand is quite superficial, but I still would like to ask the community:
Is there any way to meet the advertiser's request, ideally without compromising security and user privacy?
