6

Apple has announced that NSAllowArbitraryLoads will not work soon. Therefore, in iOS 10, I have this in my info.plist:

<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSExceptionDomains</key>
        <dict>
            <key>myAPIdomain</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                <true/>
            </dict>
        </dict>
        <key>NSAllowsArbitraryLoadsInWebContent</key>
        <true/>
    </dict>

This works for my API request and content in UIWebView. However, in iOS9, NSAllowsArbitraryLoadsInWebContent is not supported and it is recommended to include NSAllowsArbitraryLoads for iOS 9 support. But I think this will override my NSExceptionDomains settings? How can I make HTTP requests for my API and UIWebView work on both iOS 9 and iOS 10 and still following Apple's rule?

Edit

For supporting iOS 9 and iOS 10:

<key>NSAppTransportSecurity</key>
        <dict>
            <key>NSExceptionDomains</key>
            <dict>
                <key>myAPIdomain</key>
                <dict>
                    <key>NSIncludesSubdomains</key>
                    <true/>
                    <key>NSExceptionAllowsInsecureHTTPLoads</key>
                    <true/>
                </dict>
            </dict>
            <key>NSAllowsArbitraryLoadsInWebContent</key>
            <true/>
            <key>NSAllowsArbitraryLoads</key>
            <true/>
        </dict>
chengsam
  • 7,315
  • 6
  • 30
  • 38
  • 1
    If you are supporting earlier version than iOS 10 then you need to use `NSAllowsArbitraryLoads`, and yes this will apply on iOS 9 and 10. You simply need to include in your review notes why you need `NSAllowsArbitraryLoads` If you have specific domains where you know https will work, you can add an exception for those domains to enable https – Paulw11 Oct 27 '16 at 09:29
  • @Paulw11Thanks for your quick reply. This means I just need to add `NSAllowsArbitraryLoadsInWebContent` and `NSAllowsArbitraryLoads` to my info.plist? – chengsam Oct 27 '16 at 09:33
  • yes, that is correct – Paulw11 Oct 27 '16 at 09:33
  • @Paulw11I have edited the post. I think that on iOS10, the key `NSAllowsArbitraryLoadsInWebContent` and `NSExceptionDomains` will work. On iOS 9, the `NSAllowsArbitraryLoads` will work. Am I correct? – chengsam Oct 27 '16 at 09:48
  • I believe that `NSAllowsArbitraryLoads` will override `NSAllowsArbitraryLoadsInWebContent` even on ios 10, so ATS will effectively be "off" on iOS 9 and iOS 10 devices – Paulw11 Oct 27 '16 at 09:50
  • @Paulw11No. On iOS 10, if I do not set `NSExceptionDomains`, my API domain won't work. That means `NSAllowsArbitraryLoadsInWebContent` will take effect. – chengsam Oct 27 '16 at 09:51

1 Answers1

1
<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoads</key>
        <true/>
    </dict>

You can use the above condition if you don't want to support https(TLS 1.2). But you have to make sure it will be a temporary fix. From earlier 2017 Apple make https (TLS 1.2) as mandatory

Yogesh Mv
  • 1,041
  • 1
  • 6
  • 12
  • This is not true. You will be able to continue to use `NSAllowsArbitraryLoads` but you need to explain why it is required – Paulw11 Oct 27 '16 at 09:34
  • I know Apple will make strict use of `NSAllowsArbitraryLoads` from 2017. But I want to support iOS 9 also. Seems `NSAllowsArbitraryLoads` must be needed for supporting iOS 9. – chengsam Oct 27 '16 at 09:36
  • Plus there are many devices, such as embedded/IoT devices, that will never support TLS – Paulw11 Oct 27 '16 at 09:38