iframe does not work with "frame-ancestors *" CSP (iOS WKWebView )

[vbraun]

Bug Report

Problem

On iOS, an iframe cannot embed a page where the server sets a frame-ancestors * Content Security Policy.

This is despite allowing navigation in the config.xml

    <access origin="*" />
    <allow-navigation href="https://*.menti.com/*" />
    <platform name="ios">
        <preference name="scheme" value="app"/>
    </platform>

What is expected to happen?

The iframe content should load

What does actually happen?

On iOS, the iframe fails to load with

Refused to load https://www.menti.com/xyz because it does not appear in the frame-ancestors directive of the Content Security Policy.

On Android, the iframe loads as expected. Possibly because Android allows the app to use the https:// scheme.

Information

It seems that * does not match the iOS scheme, which is app:// in my case. Presumably it would match https://, but that is not allowed by Apple.

This might not be fixable on the Cordova side, but there was no bug report documenting the issue.

This can worked around on the server side by explicitly allowing the scheme, if you control the server side.
As an example, typeform did this here: Typeform/embed#311
I don't know any other workaround.

Environment, Platform, Device

cordova-ios version 7.1.1

Checklist

• I searched for existing GitHub issues
• I updated all Cordova tooling to most recent version
• I included all the necessary information above

[vbraun]

For reference, Mentimeter sets the following CSP:

content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'report-sample' https://gtm.menti.com https://gtm.mentimeter.com https://www.googletagmanager.com https://tagmanager.google.com https://*.zoom.us https://zoom.us; style-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://tagmanager.google.com https://fonts.googleapis.com; img-src 'self' blob: data: https:; connect-src 'self' https://www.menti.com https://*.zoom.us https://zoom.us wss://zoom.us https://resolver.confidence.dev https://gtm.menti.com https://gtm.mentimeter.com https://www.googletagmanager.com https://*.google-analytics.com https://internet-up.ably-realtime.com wss://ws-up.ably-realtime.com https://o866780.ingest.sentry.io https://static.mentimeter.com https://*.menti.com wss://*.menti.com https://*.mentimeter.com wss://*.mentimeter.com; font-src 'self' data: https://static.mentimeter.com https://fonts.gstatic.com https://fonts.googleapis.com; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors *; frame-src https://www.mentimeter.com https://www.youtube-nocookie.com https://player.vimeo.com https://miro.com https://gtm.menti.com; upgrade-insecure-requests;report-uri https://o866780.ingest.sentry.io/api/4507373948043265/security/?sentry_key=46be98bc087df5ba9f3586896554ffcb&sentry_environment=prod