Problem

A Mobile app that uses OIDC to authenticate users and custom URI scheme for handling redirect works fine in iOS but in Android Chrome, mixed content error is observed..

Symptoms

Following errors observed in browser network trace:

Mixed Content: The page at 'https://URL...' was loaded over a secure connection, but contains a form that targets an insecure endpoint '<Custom_URI>'. This endpoint should be made available over a secure connection.

Solution

The IntentBlockExternalFormRedirectsNoGesture setting exists on Chrome Android. And the issue happens when redirect_uri is handled by mobile app using "intent filter" (see below). This is because Chrome does not allow form.submit to reach a uri registered as "intent", even if form submit uses "http get".

About "intents"

https://developer.android.com/reference/android/content/Intent

https://developer.android.com/guide/components/intents-filters

A workaround is to replace form.submit with location.assign or location.replace in the javascript.

Workaround example below:

appauth.properties

javascript = /resource/script/appauth.js
#autosubmit = false

appauth.js

addEventHandler("load", function(load) {
	switch(view.getViewServerPage()) {
		case "/WEB-INF/jsp/success.jsp":
		case "/WEB-INF/jsp/exit.jsp":
		case "/WEB-INF/jsp/error.jsp":
			break;
		default:
			return;
	}
	const form = document.getElementById("form");
	if(form && form.method === "get") {
		const submit = () => {
			const url = new URL(form.action);
			url.search = new URLSearchParams(new FormData(form));
			location.replace(url);
		};
		form.addEventListener("submit", e => e.preventDefault());
		form.submit = submit;
	}
});

Browser not supported