2

We have an app which shows HTML content in Webview. Currently the content served to Webview is from non secured domain. From iOS10, it supposed to serve from secured domain so before migrating want to clear some doubts.

  1. Do the secured HTML page(https) should have CSS and JS links from secured sever too? As some CSS and JS might be from third server.

  2. If the secured HTML page(https) is loaded into Webview and had some links which are not secured(http), will those links load in Webview when user taps on it?

Thanks in advance for your help.

miOS
  • 1,379
  • 13
  • 20
  • If your app access any non-https content then you either need a specific exception (if you know what the server will be) or a general exception (ie disable ATS) if the content may come from anywhere. If you use SFSafariViewController then you don't need to disable ATS. If you use UIWebView or WKWebView then you do http://stackoverflow.com/questions/31065204/ios-9-are-webviews-exempt-from-the-app-transport-security-exceptions-ats – Paulw11 Aug 05 '16 at 10:00
  • Thanks @Paulw11 for you reply. SFSafariViewController is available from iOS9 but we have some customers who are still on iOS7 devices. From iOS10, Apple won't allow exception (i.e. disable ATS) and all request must be secured. So considering my question, do I need to serve CSS, JS and links inside HTML content need to be secured? – miOS Aug 05 '16 at 10:18
  • First of all, it is not starting in ios 10, but starting with apps submitted after the end of this year. It will be enforced on submit. Also, it is not true that Apple will not allow exceptions. They will allow you to put exceptions, but it seems that they will ask for justification when you submit, and they may or may not reject your app if your justification isn't good enough. – wottle Aug 05 '16 at 19:17
  • As to your question, I do believe embedded resources / referenced resources will also need to be secured if you are loading them in a UIWebView. You, of course, could always try it in your app to verify. Simply remove the ATS exceptions from your Info.plist, then point your UIWebView at a secure URL that has references to non-secure css or js files. Then you could answer your own question for sure. I've never done it, so I can't say with full confidence. Or maybe someone else has and can post. – wottle Aug 05 '16 at 19:19
  • Thanks @wottle for your reply. I will try to create test environment to verify above cases. – miOS Aug 09 '16 at 05:12

1 Answers1

5

I did a quick test and it appears that any referenced resources that are needed to be loaded by the UIWebView to properly display the page must abide by the ATS rules, but also follow any exceptions you have specified in the Info.plist for your project. If the I tried to follow a link to a non-https site in the UIWebView, it gave me errors as well.

I think your best bet would be to use the SFSafariViewController conditionally for iOS 9 users. You can continue to use the UIWebView for the iOS 7 and iOS 8 devices, which do not strictly enforce ATS. This imposes fome extra code, but it should be minimal.

Also, just a clarification on Apple's changes around enforcement of App Transport Security. They announced that App Transport Security would be required for apps submitted after December 31, 2016. This means the impact is not so much based on the user's device OS, but rather the developers who are submitting. Also, Apple is still allowing exceptions to be added, as long as you have a justification. We do not yet know what types of justifications Apple will allow. Finally, Apple stated in their WWDC session that apps could still include an exception to the forward secrecy part of the ATS requirements without a separate justification. Until we get to 1/1/2017, though, we will not know for sure how this will work.

Edit: It appears Apple has added a new exception you can use to allow non-ATS connections in UIWebview and WKWebview instances. It is NSAllowsArbitraryLoadsInWebContent. This should do exactly what you are looking for. Here is a great summary of the latest with ATS: preparing for ATS in 2017.

wottle
  • 13,095
  • 4
  • 27
  • 68