How can we use HTTP and HTTPS both ATS (App Transport Security) in One Application?

问题

Apple announced “App Transport Security” for iOS 9 and OSX 10.11 El Capitan. The “What’s New in iOS” guide for iOS 9 explains:

App Transport Security (ATS) lets an app add a declaration to its Info.plist file that specifies the domains with which it needs secure communication. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.

If we want to remove or disable the ATS means we want to use only HTTP then we are doing entry in the .plist file like as :

<key>NSAppTransportSecurity</key>
<dict>
  <!--Include to allow all connections (DANGER)-->
  <key>NSAllowsArbitraryLoads</key>
      <true/>
</dict>

And if our domain is in HTTPS we are doing entry in .plist file like as :

<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict>
    <key>yourserver.com</key>
    <dict>
      <!--Include to allow subdomains-->
      <key>NSIncludesSubdomains</key>
      <true/>
      <!--Include to allow HTTP requests-->
      <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
      <true/>
      <!--Include to specify minimum TLS version-->
      <key>NSTemporaryExceptionMinimumTLSVersion</key>
      <string>TLSv1.1</string>
    </dict>
  </dict>
</dict>

Issue is :

If my app is working on the web-services like as HTTP only. And I want to use the HTTPS domains like as google map or Facebook login etc. Or anything like one web-service is for the HTTPS domain.

Then How we can combine both the things in the .plist file?

回答1:

If your app (a third-party web browser, for instance) needs to load arbitrary content, Apple provides a way to disable ATS altogether, but I suspect it’s wise for you to use this capability sparingly:

Disabling ATS entirely. Simply include the following in your Info.plist file then after you can use HTTP and HTTPS in One Application

<key>NSAppTransportSecurity</key>
<dict>
      <!--Include to allow all connections (DANGER)-->
      <key>NSAllowsArbitraryLoads</key>
      <true/>
</dict>

Hope this helps!

回答2:

if your app (a third-party web browser, for instance) needs to load arbitrary content. then add this into plist.

来源：https://stackoverflow.com/questions/32774138/how-can-we-use-http-and-https-both-ats-app-transport-security-in-one-applicati