Don't forget entitlements for WebKit!

Sandboxing a macOS application can bring interesting questions on the table. One of them is certainly “which entitlement shall I enable?”

This short article is a small reminder on how to use a WKWebView in your app.

The sample application provided with this article presents a simple window with a single view: a WKWebView. On start, the website Automatisez.net is loaded and shown.

After this initial version, we’ll see what are the impacts of the sandbox.

Without Sandboxing

This is the easy path.

The initial version of the example application is configured to run without sandboxing.

Launch it and you will see that the web page loads properly, as expected.

Enabling Sandbox

In the project editor, select the application target and select the “capabilities” tab:

  1. turn on the option “App Sandbox”;
  2. build and run the application.

You should see the application window, but the content shall not load.

Make it work

If you intend to use a WKWebView in your sandboxed application you need to also ask for a specific entitlement: Outgoing Connections (client).

In the WebkitEntitlementDemo.entitlements the corresponding key value is com.apple.security.network.client.

On this screenshot you can seen entitlement for sandboxed application.

If you are using WebKit, you shall have the option Outgoing Connections (client) checked.

You have to allow network outgoing connection of the WKWebView will not be able to work as expected.

Few final words

It seems obvious to enable network connection when you intend to use a web browser component.

The trap with WKWebView is that this entitlement is required even if you do not access networks and limit yourself to your application bundle content resources, like embedded help files.


Resources