Different behaviour NSAllowsArbitraryLoadsInWebContent IOS 10.1 and 10.2

749 views Asked by At

When loading a certain url in UIWebView in IOS 10.1 it is failing on

Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made"

However the same webview loads fine in iOS 10.2

I can load the url in both 10.1 and 10.2 if I use NSAllowsArbitraryLoads = YES but only in 10.2 with NSAllowsArbitraryLoadsInWebContent = YES

I tested the URL with nscurl --ats-diagnostics and it passes all tests

I think that the issue may have something to do with an ip location validation within the webpage.

Are the differences between 10.1 and 10.2 in the handling of App Transport Security Settings? Are these documented?

---- Edit -----

I managed to resolve my issue by looking at the error in didFailLoadWithError. This told me exactly what the url was that was causing the failure. I added this url to my Exception Domains with NSExceptionRequiresForwardSecrecy=NO (determined using the ats diagnostics)

This fixed my problem but I still would like to understand the differences in the two versions 10.1 & 10.2.

1

There are 1 answers

1
wottle On BEST ANSWER

Yes, earlier versions of iOS 10 did still enforce the forward secrecy requirement of app transport security in web views even with the NSAllowsArbitraryLoadsInWebContent key. That was a bug, that was fixed by Apple. The problem is that earlier versions of iOS shipped with the bug so you must be able to handle it, which isn't always possible if you don't know all the possible URLs that your Web you could navigate to. This may be part of the reason that Apple has extended their deadline for enabling app transport security and all apps submitted to the App Store.