2

I am loading a https URL in WKWebView and inside that few images are coming from HTTP URL which is loading perfectly fine on enabling NSAllowsArbitraryLoads in info.plist file in iOS 9. But on iOS 10 and above it is not loading the HTTP images. I read Apple and followed all possible way but no luck.

halfer
  • 19,824
  • 17
  • 99
  • 186
user3513902
  • 163
  • 1
  • 12
  • instead of enabling arbitrary loads try to use except domains if all data came form same unsecured site – Dharma Jun 28 '17 at 06:32
  • Add an NSAllowsArbitraryLoadsInWebContent exception key it allow to load http in iOS 10 – Dharma Jun 28 '17 at 06:42
  • @DSDharma, thanks for help, i tried with using except domains, and with "NSAllowsArbitraryLoadsInWebContent" also but with no luck. :( – user3513902 Jun 28 '17 at 06:47
  • ensure that you have added NSAllowsArbitraryLoads in correct plist file . and plist contains only this **NSAllowsArbitraryLoads** key. – KKRocks Jun 28 '17 at 07:13
  • In iOS 10 and later the value of [the NSAllowsArbitraryLoads] key is ignored if any of the following keys are present in your app’s Info.plist file: NSAllowsArbitraryLoadsForMedia NSAllowsArbitraryLoadsInWebContent NSAllowsLocalNetworking – KKRocks Jun 28 '17 at 07:14
  • @KKRocks, as per your suggestion i kept only NSAllowsArbitraryLoads in my plist file, and it is working in iOS 9 but not in iOS 10 and above :( – user3513902 Jun 28 '17 at 07:55
  • ensure that your plist is correct in which you have made this changes. – KKRocks Jun 28 '17 at 08:59
  • @KKRocks thanks for help. If i disable "NSAllowsArbitraryLoads" then its not working in iOS 9. So with this i am sure that my info.plist is the correct one. But this change is not working in iOS 10 and above. – user3513902 Jun 28 '17 at 09:02
  • see this : https://stackoverflow.com/a/33712228/3901620 – KKRocks Jun 28 '17 at 09:10
  • @KKRocks, yes i verified as per link https://stackoverflow.com/a/33712228/3901620 and it is fine. I also read below link https://stackoverflow.com/questions/32456848/ios9-does-not-load-insecure-resources-from-a-secure-page-ssl-https. Is it not supported in iOS 10 and above, having doubt. – user3513902 Jun 28 '17 at 09:27
  • give your webview your so we can check that. – KKRocks Jun 28 '17 at 09:28
  • webView = WKWebView (frame: CGRect(x: 0.0, y: 50.0, width: self.view.frame.size.width, height: self.view.frame.size.height-50), configuration: config) webView!.navigationDelegate = self webView!.uiDelegate = self webView!.scrollView.delegate = self view.addSubview(webView!) let urlStr = strUrl.addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed) let m_url = URL(string: urlStr!) let m_url_request = URLRequest(url: m_url!, self.webView!.load(m_url_request) – user3513902 Jun 28 '17 at 09:44
  • @user3513902 Is this issue resolved? I am facing the same. Loading below image on WKWebview through HTML Javascript: – Ruchira More Aug 16 '19 at 13:31

2 Answers2

1

Add the below line in info.plist,

NSAllowsArbitraryLoadsInWebContent

and set its value as YES

Amal T S
  • 3,327
  • 2
  • 24
  • 57
Vignesh Davins
  • 285
  • 1
  • 13
  • Thanks Vignesh, i tried with "NSAllowsArbitraryLoadsInWebContent", but still image is not loading in iOS 10 and above. – user3513902 Jun 28 '17 at 06:48
  • Ok. so try to add this in info.plist... Hope it would works.NSAppTransportSecurity NSExceptionDomains api.unsecured-connection.net NSExceptionAllowsInsecureHTTPLoads – Vignesh Davins Jun 28 '17 at 06:56
  • i tried with keeping NSAppTransportSecurity NSExceptionDomains api.unsecured-connection.net NSExceptionAllowsInsecureHTTPLoads but still it does not work. With keeping this in iOS 9 works fine but again in iOS 10 and above same issue. – user3513902 Jun 28 '17 at 07:53
0

Allowing Insecure Connection to a Single Server

fetching media from an insecure server use below

NSAppTransportSecurity
    NSExceptionDomains
        "media-server.example.com"
            NSExceptionAllowsInsecureHTTPLoads = YES

Apple warnings

Important: Before implementing this exception, consider that a seemingly-benign network request can cause security problems of the sort that ATS is intended to mitigate. For example, fetching media from an insecure server entails the following risks, among others: An attacker can see the media file a user is accessing Your app’s attack surface expands, for example, by allowing a bad actor to feed your app a malicious file intended to trigger a buffer overrun Avoid this connection type if possible.

The App Transport Security (ATS) keys are:

  1. NSAllowsArbitraryLoads
  2. NSAllowsArbitraryLoadsForMedia
  3. NSAllowsArbitraryLoadsInWebContent
  4. NSExceptionAllowsInsecureHTTPLoads
  5. NSExceptionMinimumTLSVersion

You can get more info from NSAppTransportSecurity

Dharma
  • 3,007
  • 3
  • 23
  • 38