App Transport Security Xcode 7 beta 6

Question

I'm currently working on Xcode 7 beta 6. I'm trying to send a "DELETE" request to http://mySubdomain.herokuapp.com

The error I receive is:

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
Error making API call: Error Domain=NSURLErrorDomain Code=-1022 The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.
NSLocalizedDescription=The resource could not be loaded because the App Transport Security policy requires the use of a secure connection., NSUnderlyingError=0x796f7ef0 {Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"}}

In my actual API call I put "https" instead of "http" and that actually worked for my POST requests. But the DELETE request throws the above error.

I've seen solutions on here that involve the pList file, but none of them have worked for me. I've listed my attempts below.

First attempt:

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSAllowsArbitraryLoads</key>
      <true/>
</dict>

Second try:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>herokuapp.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <false/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <false/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSRequiresCertificateTransparency</key>
            <false/>
        </dict>
    </dict>
</dict>

And finally, I even put all these temporary keys in like so:

<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>herokuapp.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSTemporaryIncludesSubdomains</key>
                <true/>
                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSExceptionRequiresForwardSecrecy</key>
                <false/>
                <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
                <false/>
                <key>NSExceptionMinimumTLSVersion</key>
                <string>TLSv1.2</string>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>TLSv1.2</string>
                <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryThirdPartyExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
                <false/>
                <key>NSTemporaryThirdPartyExceptionRequiresForwardSecrecy</key>
                <false/>
                <key>NSThirdPartyExceptionMinimumTLSVersion</key>
                <string>TLSv1.2</string>
                <key>NSTemporaryThirdPartyExceptionMinimumTLSVersion</key>
                <string>TLSv1.2</string>
                <key>NSRequiresCertificateTransparency</key>
                <false/>
                <key>NSTemporaryRequiresCertificateTransparency</key>
                <false/>
            </dict>
        </dict>
    </dict>

All with no luck! I always get the same error. The DELETE request is formatted correctly because when I manually do it from Postman, I get the desired result.

Here is what my actual API call method looks like, just in case there could be an issue here:

class func makeDELETEALLRequest(completion: (error:Bool) -> Void) {
        let session = NSURLSession.sharedSession()
        let url = NSURL(string:"https://mysubdomain.herokuapp.com/42kh24kh2kj2g24/clean")
        let request = NSMutableURLRequest(URL: url!)
        request.HTTPMethod = "DELETE"

        let task = session.dataTaskWithRequest(request) { (data, response, error) -> Void in

            if (error != nil) {
                print("Error making API call: \(error!)")
                completion(error: true)
            } else {
                let HTTPResponse = response as! NSHTTPURLResponse
                let statusCode = HTTPResponse.statusCode
                if (statusCode == 200){
                    print("Successfully deleted!")
                    completion(error: false)
                } else {
                    print("Different status code: \(statusCode)")
                    completion(error: true)
                }
            }
        }
        task.resume()
    }

Once again, I'm using Xcode 7 beta 6.

ABOUT MY SELECTED ANSWER The answer I selected as correct was right for me because I made all these changes to the wrong pList file in my project and that answer was the only one that addressed the possibility. The solutions offered by the other answers are not wrong, so any other people experiencing this issue should give them a try, since they are valid. I hope this helps anyone having similar issues.

A guide To check acceptability of Web URL is available https://medium.com/@Mrugraj/app-transport-security-b7910c4fc70f. this might help to understand for future — Mrug, Sep 18 '15 at 12:14
First attempt work in my case any way i find it helpfull so i have thumbs up for u — Nischal Hada, Dec 08 '15 at 07:06

score 50 · Answer 1 · edited May 23 '17 at 12:26

I have solved it with adding some key in info.plist. As I am using objective C for some native application.

The steps I followed are:

Opened my Projects info.plist file
Added a Key called NSAppTransportSecurity as a Dictionary.
Added a Subkey called NSAllowsArbitraryLoads as Boolean and set its value to YES as like following image.

Clean the Project and Now Everything is Running fine as like before.

Ref Link:

Carl Hine · Answer 2 · 2016-03-23T15:00:46.153

Appreciate you've tried adding the following, to your plist file:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

... you might want to try to change your line:

let url = NSURL(string:"https://mysubdomain.herokuapp.com/42kh24kh2kj2g24/clean")

to:

let url = NSURL(string:"http://mysubdomain.herokuapp.com/42kh24kh2kj2g24/clean")

Apologies if you have tried this. I can understand how frustrating it is when you think you've exhausted all avenues.

But as soon as I ran up my App on Xcode 7, so that I could test our Apps, one kicked off with the "App Transport Security" problem. We're using Oracle-based web-services and it's too late in the day to start configuring digital certificates for SSL-based HTTP. So, the above addition to my plist file did the trick. Appreciate you say you've tried this. But, just to help anyone else, it did actually work for me. It need to as I have no immediate way of enabling SSL on our Oracle box.

score 13 · Accepted Answer · answered Sep 20 '15 at 22:21

I, too, had trouble overriding App Transport Security after upgrading to xCode 7.0, and tried the same kinds of solutions you have to no avail. After walking away from it for awhile, I noticed that I had made the changes to the Info.plist under Supporting Files of "MyAppName Tests" rather than the one in the project itself. The Supporting Files folder in my project wasn't expanded, so I hadn't even noticed the Info.plist in it.

Typical amateur mistake, I'm sure, but they're only a couple of lines apart in the Project Navigator and it had me frustrated until I noticed the distinction. Thought I'd mention it in case you're having the same problem.

score 5 · Answer 4 · edited Mar 02 '16 at 08:25

5

I have solved as plist file.
1. Add a NSAppTransportSecurity : Dictionary.
2. Add Subkey named NSAllowsArbitraryLoads as Boolean : YES

This worked well.

edited Mar 02 '16 at 08:25

Mihir Oza

2,768
3
35
61

answered Sep 17 '15 at 16:07

Juseman Andrey

51
1

Worked for me well – Rizwan Abbas Mar 24 '16 at 09:01

Hamed · Answer 5 · 2018-09-23T05:33:32.207

5

In Xcode 8 & Xcode 9

Open my Projects info.plist file
Add a Key called AppTransportSecurity as a Dictionary.
Add a Subkey called AllowsArbitraryLoads as Boolean and set its value to YES as like following image.

edited Sep 23 '18 at 05:33

answered Feb 11 '17 at 15:22

Hamed

1,678
18
30

yerlilbilgin · Answer 6 · 2022-05-27T13:01:36.347

For XCode 13, I didn't find any Info.plist file, and from the UI it is tricky to add the mentioned AppTransportSecurity setting.

The App Transport Security Settings don't exist by default. You have to know by heart that Pressing that + button will not add a sub item, but completely add a new item.

I know that sounds not so clear and clever, but if you click that + button, it will show you a set of Keys that are not related to Bundle name (or any other root level key), but will allow you to add new keys to the root level including AppTransportSecurity. So non trivial, but that is how they designed it.

Consequently, it looks like this:

App Transport Security Xcode 7 beta 6

6 Answers6

Linked