23

In iOS 9, Apple is blocking insecure HTTP connections for apps, unless specific hosts are whitelisted.

http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/

Are WebView(s) exempt from these rules for obvious reasons, or are we still expected to whitelist hosts that a browser opens... including all links from a given page?

I wasn't sure if this was our responsibility or if that was exempt.

soulshined
  • 9,612
  • 5
  • 44
  • 79
Ben Guild
  • 4,881
  • 7
  • 34
  • 60
  • This might explain what is behind ATS - https://medium.com/@Mrugraj/app-transport-security-b7910c4fc70f – Mrug Sep 18 '15 at 12:13

4 Answers4

28

SFSafariViewController can show HTTP without the NSAppTransportSecurity key.

UIWebView and WKWebView require the NSAppTransportSecurity key mentioned above to display HTTP pages.

cannyboy
  • 24,180
  • 40
  • 146
  • 252
  • 1
    Do you have a source for this or actual confirmation? Because that's not what @Scooter said was his experience with **SFSafariViewController**. – Ben Guild Jul 15 '15 at 10:00
  • I tried this project (which does not have the NSAppTransportSecurity key) https://github.com/MShahmeer/SFSafariViewController-Test .. then changed it to load UIWebView and WKWebView. The UI and WK did not work with HTTP, but the SafariViewController did. Using Xcode 7.0 beta 3 (7A152u). Using simulator (haven't got iOS 9 device) – cannyboy Jul 15 '15 at 10:15
  • I had a similar experience, on finding the answer to my question here: http://stackoverflow.com/questions/32993320/raise-exception-on-app-transport-security/32994542#32994542. Even if you add a domain as an exception which loads on your UIWebView (I can't speak for the other 2 since I haven't tried), if that domain requests other insecure sources, it will block those requests inside the UIWebView as well. – Manu Kanthan Oct 07 '15 at 15:14
11

I have inserted the following in my apps .plist per the Apple Guidance:

<key>NSAppTransportSecurity</key>
<dict>
     <!--Include to allow all connections - with and without SSL (DANGEROUS)-->
     <key>NSAllowsArbitraryLoads</key>
     <true/>
</dict>

and when I try to load my webView (from an HTTPS server no less), I get the following error and it doesn't load.

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

So I it looks like not only are they not exempt, they don't work even if you make the correct addition to the .plist.

Morse
  • 695
  • 8
  • 8
Scooter
  • 4,068
  • 4
  • 32
  • 47
  • 1
    Have you had the chance to try the new "SFSafariViewController"? I'm wondering if that's exempt. – Ben Guild Jul 13 '15 at 15:53
  • I hadn't heard of that one. I will give that a try tonight and see what I get. – Scooter Jul 13 '15 at 17:16
  • Still not working correctly for me. The way the app was written was that I was pulling a .pdf down from my web server directly into the UIWebView to display it. The web server requires basic authentication which I was providing using NSURLSession earlier in the app. Under iOS 9 though something has changed, and the UIWebView is no longer granted access. The workaround I have implemented is to simply download the .pdf to the documents directory, then load the UIWebView using the local url instead. It works fine, but I still wish I knew why the old way of doing this has quit working. – Scooter Jul 15 '15 at 01:17
  • That sucks. If you keep tinkering with it let me know if you have any updates. For now I'm OK with including the "arbitrary loads" flag in the transport security exceptions but I'm against it longterm. – Ben Guild Jul 15 '15 at 04:32
  • Will do. I am not sure how you can avoid the arbitrary loads though. I doubt any website will use TLS 1.2 exclusively, which is what App Transport Security is looking for. On my own private server I have configured Apache to use TLS 1.2 only, and it still caused trouble unless I set the arbitrary loads flag. Overall kinda frustrating. – Scooter Jul 15 '15 at 04:36
  • Yeah I mean I'm basically just waiting for a way to Web Views to be exempt. There'll have to be some sort of exclusion for those since it's normal behavior to be able to visit insecure sites even on the local LAN. – Ben Guild Jul 15 '15 at 06:53
  • I'm having the same problem, reported here: `http://stackoverflow.com/questions/31937811/ios-another-error-using-app-transport-security-ats-9813` – ICL1901 Aug 11 '15 at 09:51
  • 1
    David, this link is broken. Could you please update it? Thanks! – Scooter Aug 13 '15 at 01:05
8

This question was originally about iOS 9; however, according to Apple's documentation:

Starting in iOS 10.0 and later, the following subkeys are supported:

  • NSAllowsArbitraryLoadsInWebContent
  • ...

Use NSAllowsArbitraryLoadsInWebContent so that you do not need to white list each page a WebView may load.

Keep NSAllowsArbitraryLoads to maintain backward compatibility with iOS 9 and enable the new setting in your Xcode 8 project Info.plist here: Enable ATS in project

Community
  • 1
  • 1
AtomicBoolean
  • 1,070
  • 13
  • 19
0

If your app (a third-party web browser, for instance) needs to load arbitrary content, Apple provides a way to disable ATS altogether, but I suspect it’s wise for you to use this capability sparingly:

<key>NSAppTransportSecurity</key>
    <dict>
        <!--Include to allow all connections (DANGER)-->
        <key>NSAllowsArbitraryLoads</key>
        <true/>
    </dict>
Subhash Khimani
  • 427
  • 7
  • 22