Skip to main content
Blog
Home/

Focused View, Safari, iOS Oh My!

Author Larry Kluger
Larry KlugerLead Product Manager for Partner Platforms
Summary4 min read

Discover how to accommodate the Safari web browser on iOS devices in your focused view and Click to Agree embedded signing sessions.

Table of contents

en-US

The focused view and focused view/Click to Agree options enable new, slimmer user experience styles for application developers. See the documentation, sections 2 and 3. You can easily try focused view and focused view/Click to Agree via the embedded signing test tool, shown below.

Testing a focused view session in the embedded signing test tool

However, as more and more developers are trying out the new focused view embedded signing session option, some common issues are cropping up.

Does focused view work with MacOS Safari and iOS WKWebView?

Yes! And you should try it yourself. The test tool also works with the Android WebView object and with many other web browsers, too. This is important: it enables you to use the test tool as a “golden example,” so you can determine whether any browser issues are from your code or from a Docusign embedded signing session. The test tool’s code is open source. The tool’s Logging option shows the API calls it makes.

When it doesn’t work

Several developers have reported their applications working fine with Chrome but not working with MacOS Safari and iOS WKWebView. The symptoms are:

Any differences between browsers are a bother for developers. Web standards across browsers are much more consistent these days, but there are still some differences. How browsers handle frame ancestors is just such a difference.

So far, these issues have been traced back to the frameAncestors property value used for the applications’ call to the EnvelopeViews:createRecipient eSignature REST API method. As documented on the Docusign JS for embedded signing page, the frameAncestors property must be only set to origins. Not URLs! No URL paths!

The web standards define an origin as a “scheme (protocol), hostname (domain), and port of the URL used to access it.” Some examples and their viability as frame ancestors:

  • "http://localhost:8080"OK (development only). Origin with the port number specified.

  • "http://localhost"OK (development only). Origin with http protocol.

  • "https://app.mycompany.io": OK. Origin using the default https port (443).

  • "http://app.mycompany.io": OK for development, but not production. Uses http protocol.

  • "https://app.mycompany.io/": Not OK. This is a URL since it includes part of the path.  

  • "https://app.mycompany.io/appV2": Not OK. This is a URL since it includes the path.

Why does my app work with Chrome?

In the cases seen so far, the developer’s application sets the frameAncestors attribute to include a complete URL, including a path, instead of just the origin. So why does the application work with Chrome?

The answer lies in networking philosophy. When writing networking software, should your software accept inputs that are wrong in an obvious way? Jon Postel, an early Internet developer, was a firm believer in what is now known as Postel’s Law: “be conservative in what you send, be liberal in what you accept.” 

For the CSP frame-ancestors setting, which can be viewed as a networking protocol, Postel’s law means that if your software (the web browser itself) is sent a URL when an origin is expected, just strip off the path to obtain the origin. 

This is what Chrome does. This is not what Safari or the iOS WKWebView does. As a result, your application works great with Chrome, but fails with Safari.

In a final analysis, both Chrome and Apple have implemented the CSP standard correctly. Chrome used Postel’s law correctly. Apple doesn’t need to implement Postel’s law, but it’d be nice if they did. Today, there’s no Internet Supreme Court to decide this “circuit split” issue. Until then, be careful to not use URLs when the protocol asks for origins. 

A red herring

Currently, focused view and Click to Agree sessions do not support recording the browser’s geolocation with the envelope. This causes a warning (not an error) to be shown on the browser’s console. Different browsers use different text for the warning. The warning will be similar to:

[Violation] Permissions policy violation: Geolocation access has been blocked because of a permissions policy applied to the current document.

This warning may seem important, but it is not. The signing session will still work properly. Developers should ignore this warning. It is not an error.

Additional resources

Author Larry Kluger
Larry KlugerLead Product Manager for Partner Platforms

Larry Kluger has over 40 years of tech industry experience as a software developer, developer advocate, entrepreneur, and product manager. An award-winning speaker prominent StackOverflow contributor, he enjoys giving talks and helping the ISV and developer communities.

Twitter: @larrykluger

LinkedIn: https://www.linkedin.com/in/larrykluger/

More posts from this author

Related posts

  • How to Set Up JavaScript OAuth Authorization Code Grant with PKCE
    Developers

    How to Set Up JavaScript OAuth Authorization Code Grant with PKCE

    Author Larry Kluger
    Larry Kluger
  • How to improve your app’s UX while users wait for API calls to complete

    How to improve your app’s UX while users wait for API calls to complete

    Author Larry Kluger
    Larry Kluger
How to Set Up JavaScript OAuth Authorization Code Grant with PKCE

How to Set Up JavaScript OAuth Authorization Code Grant with PKCE

Author Larry Kluger
Larry Kluger
How to improve your app’s UX while users wait for API calls to complete

How to improve your app’s UX while users wait for API calls to complete

Author Larry Kluger
Larry Kluger

Discover what's new with Docusign IAM or start with eSignature for free

Explore Docusign IAMTry eSignature for Free
Person smiling while presenting