Allow HTTP without disabling ATS in iOS

问题

I am developing an app which have a small tweak in it. it will show a preview of the given url (like Facebook,whatsapp does). but if the "User-given" url is in HTTP, I couldn't load the preview when ATS is turned on. so i turned off the whole HTTPS traffic by using NSAllowsArbitraryLoads . is there any way to allow http with ATS enabled?

回答1:

According to Apple, if you build against an older SDK, so iOS 8 or earlier, then ATS is disabled. I don't know exactly what this means, but I'm guessing it is the target build setting Architectures, Base SDK -- not the deployment target setting.

This video has details of changes to ATS recently announced at WWDC 2016. As of the start of 2017, Apple will reject your app if you're using any of the following ATS exceptions AND you can't provide a reasonable justification for doing so:

NSAllowsArbitraryLoads
NSExceptionAllowsInsecureHTTPLoads
NSExceptionMinimumTLSVersion

However, it appears you will be allowed to use a new exception called:

NSAllowsArbitraryLoadsInWebContent

which means that a WKWebView control can still load HTTP content. Not sure if this applies to UIWebView as well.

In your case, I'm guessing you're not using a WKWebView, so you'd better start working on your "reasonable justification". Or stick with the iOS 8 SDK.

回答2:

You can add exceptions (NSExceptionDomains) to allow HTTP for specific domains. See the documentation.

However, if the user given URL can be any URL, then there is no other way but to use NSAllowsArbitraryLoads.

回答3:

Open Info.plist as Source Code, then add this where you want :

<key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoads</key>
        <false/>
        <key>NSExceptionDomains</key>
        <dict>
            <key>aWebsite.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
            </dict>
            <key>anotherWebsiteIfYouWant.com</key>
            <dict>
                <key>NSIncludesSubdomains</key>
                <true/>
                <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                <string>TLSv1.1</string>
            </dict>
        </dict>
    </dict>

This way you won't have to disable ATS totally.

来源：https://stackoverflow.com/questions/38067989/allow-http-without-disabling-ats-in-ios

标签

ios

facebook

app-transport-security