ATS App Transport Security: HTTP url inside Webview

Question

We have an app which shows HTML content in Webview. Currently the content served to Webview is from non secured domain. From iOS10, it supposed to serve from secured domain so before migrating want to clear some doubts.

1. Do the secured HTML page(https) should have CSS and JS links from secured sever too? As some CSS and JS might be from third server.

2. If the secured HTML page(https) is loaded into Webview and had some links which are not secured(http), will those links load in Webview when user taps on it?

Thanks in advance for your help.

Answer 1

I did a quick test and it appears that any referenced resources that are needed to be loaded by the UIWebView to properly display the page must abide by the ATS rules, but also follow any exceptions you have specified in the Info.plist for your project. If the I tried to follow a link to a non-https site in the UIWebView, it gave me errors as well.

I think your best bet would be to use the SFSafariViewController conditionally for iOS 9 users. You can continue to use the UIWebView for the iOS 7 and iOS 8 devices, which do not strictly enforce ATS. This imposes fome extra code, but it should be minimal.

Also, just a clarification on Apple's changes around enforcement of App Transport Security. They announced that App Transport Security would be required for apps submitted after December 31, 2016. This means the impact is not so much based on the user's device OS, but rather the developers who are submitting. Also, Apple is still allowing exceptions to be added, as long as you have a justification. We do not yet know what types of justifications Apple will allow. Finally, Apple stated in their WWDC session that apps could still include an exception to the forward secrecy part of the ATS requirements without a separate justification. Until we get to 1/1/2017, though, we will not know for sure how this will work.

Edit: It appears Apple has added a new exception you can use to allow non-ATS connections in UIWebview and WKWebview instances. It is NSAllowsArbitraryLoadsInWebContent. This should do exactly what you are looking for. Here is a great summary of the latest with ATS: preparing for ATS in 2017.