iOS 11 and 10 have outdated native fetch implementation

[devinrhode2]

Summary: iOS 11 and 10 have a native window.fetch implementation, but they do not have credentials: 'same-origin' as the new default

This is not necessarily a browser bug. This is the original ticket in webkit's bugzilla tracker, "Make fetch() use "same-origin" credentials by default" https://bugs.webkit.org/show_bug.cgi?id=176023

It's fixed in iOS 12, and I'm assuming Apple isn't going to be updating iOS 11 and 10.

Basically, to account for iOS 11 and 10, developers need to ensure they pass credentials: 'same-origin' to all fetch calls which require cookies/auth (api's that return unique data from user's account, assuming they are logged in).

In leu of explaining everything in full depth, I think the best way to fix this would be with extremely specific UA detection, basically only checking for iOS 11 and 10, and if a UA appears to be iOS 11/10, running some code like this:

window.outdatedNativeFetch = window.fetch;
window.fetch = (url, opts) => window.outdatedNativeFetch(url, {...opts, credentials: 'same-origin'})

Of course, we could also just force the polyfill, if we fear there's more issues with iOS 11+10

[dgraham]

The polyfill doesn't patch browser bugs or old spec versions in native implementations. It's active only in browsers without a fetch implementation. The credentials option must be set in fetch requests until the site stops supporting browser versions with the older default of omit.

[devinrhode2]

Thanks for response. It's clear and concise. Still, I'd argue that, within reason, a fetch polyfill library should patch browser bugs, and at a minimum, should patch old spec versions which browser vendors themselves are not going to update/patch. Of course, people should update their iphones. Do you know of a type of fetch polyfill that does patch browser bugs?

[devinrhode2]

@dgraham How would you recommend most companies/projects go about patching this for iOS 11+10?

I'd imagine that it's easiest to just include this snippet if you need to support iOS 11+10, because proper UA-sniffing code could cost a lot of bytes.

window.outdatedNativeFetch = window.fetch;
window.fetch = (url, opts) => window.outdatedNativeFetch(url, {...opts, credentials: 'same-origin'})

For the extra paranoid/even more browser support, I'd recommend simply forcing this whole polyfill to run

Now... it's possible to do some feature detection here...
If fetch is natively defined, you COULD make a special "feature detection" request to the backend to see if cookies are included in that request, if they aren't, run the snippet I have shared above.
As an aside, you could avoid loading this polyfill if fetch is natively defined with something like if (!window.fetch) await import('whatwg-fetch') (this ideal does not compose with the "feature detection" request at all really)

There is another option... if the backend detects iOS 11/10 user agent, it injects this snippet:

window.outdatedNativeFetch = window.fetch;
window.fetch = (url, opts) => window.outdatedNativeFetch(url, {...opts, credentials: 'same-origin'});

This simply avoids sending the UA sniffing code to the client. You could probably also avoid loading the polyfill in this case too, but ought to tread lightly here

[devinrhode2]

I expect most developers and most projects will have no idea they need to include credentials: 'same-origin' and mostly they'll just have weird bugs on iOS 11+10. It was extremely hard and time-consuming to diagnose for the last company/project I was on.

[dgraham]

How would you recommend most companies/projects go about patching this for iOS 11+10?

We need to deal with the iOS 10 implementation of fetch on its own terms without patching over pieces of it. The approach we used was a module similar to this, mildly outdated, example. We called into the module function rather than using window.fetch directly.

When we stopped supporting browser versions with the previous credentials default of omit, we replaced calls to the module function with window.fetch.

[devinrhode2]

Just couldn't decide on a wording for that commit message ^

Regarding your example, it looks like there's actually a few other little things that are being patched up there. I'm assuming those are probably all documented in the readme. I noticed this credentials issue I'm concerned about is well documented here: https://github.com/github/fetch#sending-cookies

Thanks for digging up that example David!