1. 技术文章
  2. iOS 9 … Are WebView(s) exempt from the App Transport Security Exceptions (ATS) rules that block insecure HTTP hosts?

iOS 9 … Are WebView(s) exempt from the App Transport Security Exceptions (ATS) rules that block insecure HTTP hosts?

我们两清 提交于 2019-11-27 13:39:23

问题


In iOS 9, Apple is blocking insecure HTTP connections for apps, unless specific hosts are whitelisted.

http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/

Are WebView(s) exempt from these rules for obvious reasons, or are we still expected to whitelist hosts that a browser opens... including all links from a given page?

I wasn't sure if this was our responsibility or if that was exempt.


回答1:


SFSafariViewController can show HTTP without the NSAppTransportSecurity key.

UIWebView and WKWebView require the NSAppTransportSecurity key mentioned above to display HTTP pages.




回答2:


I have inserted the following in my apps .plist per the Apple Guidance:

<key>NSAppTransportSecurity</key>
<dict>
     <!--Include to allow all connections - with and without SSL (DANGEROUS)-->
     <key>NSAllowsArbitraryLoads</key>
     <true/>
</dict>

and when I try to load my webView (from an HTTPS server no less), I get the following error and it doesn't load.

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)

So I it looks like not only are they not exempt, they don't work even if you make the correct addition to the .plist.




回答3:


This question was originally about iOS 9; however, according to Apple's documentation:

Starting in iOS 10.0 and later, the following subkeys are supported:

  • NSAllowsArbitraryLoadsInWebContent
  • ...

Use NSAllowsArbitraryLoadsInWebContent so that you do not need to white list each page a WebView may load.

Keep NSAllowsArbitraryLoads to maintain backward compatibility with iOS 9 and enable the new setting in your Xcode 8 project Info.plist here:




回答4:


If your app (a third-party web browser, for instance) needs to load arbitrary content, Apple provides a way to disable ATS altogether, but I suspect it’s wise for you to use this capability sparingly:

<key>NSAppTransportSecurity</key>
    <dict>
        <!--Include to allow all connections (DANGER)-->
        <key>NSAllowsArbitraryLoads</key>
        <true/>
    </dict>


来源:https://stackoverflow.com/questions/31065204/ios-9-are-webviews-exempt-from-the-app-transport-security-exceptions-ats

标签
ios
uiwebview
ios9
wkwebview
app-transport-security
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!