WKWebView http -> https redirection for iOS 10 ATS Compliance

Question

iOS 10 has foisted https upon us and totally broken an application I'm developing. The application is partly an RSS reader. The URLs we get from the RSS feeds are often HTTP URLs, both for the sites, and the metadata images. These HTTP URLs are redirected to the https versions when available just fine in safari and SFSafariViewController. However, when using WKWebView, this redirection does not happen. The OS just blocks the non-https load altogether. If I try to hack around the issue by swapping "http" for "https" in the URL, often the sites break as they load their images, CSS and JavaScript from HTTP CDNs and those requests get blocked too. How can I get the same behavior in WKWebView as seen in Safari? Is there a configuration I can set? It seems crazy to me that Apple would make this change and just break clients using WKWebView.

P.S. Facebook is able to work around this somehow. I can't tell if it's a heavily hacked SFSafariViewController or they've somehow made the web view work. Does anyone know how they've accomplished this?

Answer 1

Use NSAllowsArbitraryLoads. The key is still available for use; Apple just wants to make sure you have a good reason to use it. Displaying external content inside your app qualifies as such. Once the Apple ATS rules go into effect, you will need to provide an explanation why you need it, and why NSAllowsArbitraryLoadsInWebContent is not enough. Since you already have answers for that, there should be no problem getting your app pass the review process with NSAllowsArbitraryLoads.

As a note, Apple has postponed ATS requirement and will not go into effect in January 2017.

Answer 2

While you can simply use NSAllowsArbitraryLoads' to globally turn off at transport security, this is not ideal, and will be more likely to be rejected by Apple without hey really rock solid justification.

A better solution, which will provide the correct behavior in both iOS 9 and iOS 10, is to put both NSAllowsArbitraryLoads and NSAllowsArbitraryLoadsInWebContent in your info.plist. Because iOS 9 does not acknowledge the NSAllowsArbitraryLoadsInWebContent, It will honor the NSAllowsArbitraryLoads, effectively turning off at transport security in iOS 9 devices for your app.

In iOS 10, if you include the NSAllowsArbitraryLoadsInWebContent'key, iOS will ignore the NSAllowsArbitraryLoads setting, only disabling app transport security only in web views in your app. This will mean your app is much more secure in iOS 10, which I believe will make apple more likely to except your justification for the use of your app transport security exceptions

Answer 3

After digging around in Apple's documentation here I found the new NSAllowsArbitraryLoadsInWebContent key. This fixes the issue for WKWebView, though frustratingly fetching images over http is still problematic. I'll probably end up having to proxy them through my own server.

Answer 4

Edit: My below answer is incorrect. It does not work for sites which return XSL, for example RSS feeds hosted on feedburner. I was unable to find a solution for this, so unfortunately I am going back to enabling arbitrary loads.

---

Our app also has a generic RSS reader feature in it. We want to use ATS for better security and to be in compliance with Apple. In addition, disabling it is considered a high risk by many enterprise clients. As such, enabling "Allow Arbitrary Loads" is not a valid option for us.

For now, we've made the best of this by doing two things: 1. Enabling Allow Arbitrary Loads in Web Content. We also have a generic webview which displays customer content. 2. Using a non-visible WKWebView to load an RSS feed, then extracting the HTML from the webpage and parsing the XML. I've created a gist for that here

Somehow, this terrible hack seems to suit our purposes, for now.

It would be great to have a solution that allows you to override transport security at the URL session level.