feat(webview): accept third-party cookies so Twitter/FB/Imgur embeds render (#526)#806
feat(webview): accept third-party cookies so Twitter/FB/Imgur embeds render (#526)#806jim-daf wants to merge 2 commits intoAwful:developfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Enables third-party cookies in the shared AwfulWebView configuration so cross-origin iframe embeds (e.g., Twitter/Facebook/Imgur/Instagram) can receive cookies and render correctly in all places the app mounts AwfulWebView.
Changes:
- Enable third-party cookies via
CookieManager.setAcceptThirdPartyCookies(...)duringAwfulWebViewinitialization. - Add inline documentation explaining the embed-rendering motivation (Issue #526).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Issue #526: third-party embeds (Twitter, Facebook, Imgur, | ||
| // Instagram) load their iframe content from a different origin | ||
| // and need their session cookie to render. Without this the | ||
| // embed area shows a blank box or a "log in" stub. | ||
| CookieManager.getInstance().setAcceptThirdPartyCookies(this, true); |
There was a problem hiding this comment.
CookieManager is referenced here but the file doesn't import android.webkit.CookieManager, so this won't compile as-is. Add the missing import (or fully-qualify the type).
| // Instagram) load their iframe content from a different origin | ||
| // and need their session cookie to render. Without this the | ||
| // embed area shows a blank box or a "log in" stub. | ||
| CookieManager.getInstance().setAcceptThirdPartyCookies(this, true); |
There was a problem hiding this comment.
Now that third-party cookies are enabled in AwfulWebView.init(), there is a second call to setAcceptThirdPartyCookies in ThreadDisplayFragment.refreshSessionCookie(). Consider removing the other call so this setting has a single source of truth and can’t drift between usages.
Towards #526.
The unchecked items on the embed wishlist (Facebook posts, Imgur galleries, Twitter cards in places they currently fail) all share one root cause when rendered inside an
AwfulWebView. Their iframe content lives on a different origin and needs the third-party session cookie to render. Modern Android WebView blocks that cookie unless you opt in.This PR enables
setAcceptThirdPartyCookieson the WebView itself, so every placeAwfulWebViewis mounted (thread display, PM display, preview) inherits the change. It does not add any new embed handlers, that work belongs inthread.js, but it removes the silent-fail you currently see on the existing Twitter and Instagram embeds when the user is signed out of those services.I left the rest of the wishlist alone because each platform needs its own URL-shape detection and HTML scaffold in the embed code.