Search code examples
javascripthtmlwindows-8.1winjswindows-phone-8.1

How can I load remote content in a WinJS iframe whilst avoiding SEC7117 errors?


I'm trying to port an existing web app to Windows Phone 8.1 (and later, to Windows 8.1). This is not static content, this is a dynamic page with loads of client-side functionality.

My default.html file has <iframe src="https://remote.example.com/app.html"></iframe>.

The content in the iframe works in the emulator, and resources that are directly referenced in that initial HTML seems to work. However, my web app but triggers several errors like this:

SEC7117: Network request to https://cdn.remote.example.com/extra.js did not succeed. Your application manifest does not declare the following capabilities: internetClient privateNetworkClientServer

I get similar errors for https://cdnjs.cloudflare.com/... and https://example.cloudfront.net/...

The emulator is just being kind, these resources won't work at all once the app is running on a real device.

My package.appxmanifest file includes the following:

  <ApplicationContentUriRules>
    <Rule Match="https://remote.example.com/" Type="include" />
    <Rule Match="https://cdnjs.cloudflare.com/" Type="include" />
    <Rule Match="https://example.cloudfront.net/" Type="include" />
    <Rule Match="https://cdn.remote.example.com/" Type="include" />
  </ApplicationContentUriRules>
...
<Capabilities>
  <Capability Name="internetClientServer" />
  <Capability Name="picturesLibrary" />
  <Capability Name="internetClient" />
  <Capability Name="privateNetworkClientServer" />
  <DeviceCapability Name="location" />
  <DeviceCapability Name="webcam" />
</Capabilities>

Why are these SEC7117 errors happening? I've tried using the <x-ms-webview></x-ms-webview> element instead of an iframe, but then many of the Web Platform APIs (e.g. HTML5 GeoLocation) stop working, and Microsoft's own guidance seems to use MSWebView for static content.

For security purposes, I'd really rather that my web app be executed in the "web context", and use postMessage to perform app-like activities (and this part is working). And by sourcing the content directly from the host like this, I can update this part of the Windows Phone app without needing to push updates through the Marketplace.

Is there something I'm missing? Am I using the wrong element? How are other people wrapping existing web apps for Windows Phone 8.1?


Solution

  • This is mostly likely caused by the iframe security model.

    At Features and restrictions by context the table lists Cross-domain XHR requests as being disabled in the web context (which, according to Developing secure apps "remote web content loaded by an iframe is always loaded in the web context").

    If you are loading the content via XHR, you will be blocked.

    You can investigate methods, using postMessage to fetch data in the Local context and then pass it back into the Web context.