In iOS 9, Apple is blocking insecure HTTP connections for apps, unless specific hosts are whitelisted.
http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/
Are WebView(s) exempt from these rules for obvious reasons, or are we still expected to whitelist hosts that a browser opens... including all links from a given page?
I wasn't sure if this was our responsibility or if that was exempt.
On
This question was originally about iOS 9; however, according to Apple's documentation:
Starting in iOS 10.0 and later, the following subkeys are supported:
- NSAllowsArbitraryLoadsInWebContent
- ...
Use NSAllowsArbitraryLoadsInWebContent so that you do not need to white list each page a WebView may load.
Keep NSAllowsArbitraryLoads to maintain backward compatibility with iOS 9 and enable the new setting in your Xcode 8 project Info.plist here:
On
If your app (a third-party web browser, for instance) needs to load arbitrary content, Apple provides a way to disable ATS altogether, but I suspect it’s wise for you to use this capability sparingly:
<key>NSAppTransportSecurity</key>
<dict>
<!--Include to allow all connections (DANGER)-->
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
I have inserted the following in my apps .plist per the Apple Guidance:
<key>NSAppTransportSecurity</key>
<dict>
<!--Include to allow all connections - with and without SSL (DANGEROUS)-->
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
and when I try to load my webView (from an HTTPS server no less), I get the following error and it doesn't load.
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
So I it looks like not only are they not exempt, they don't work even if you make the correct addition to the .plist.
SFSafariViewController can show HTTP without the NSAppTransportSecurity key.
UIWebView and WKWebView require the NSAppTransportSecurity key mentioned above to display HTTP pages.