5

iOS 10 has foisted https upon us and totally broken an application I'm developing. The application is partly an RSS reader. The URLs we get from the RSS feeds are often HTTP URLs, both for the sites, and the metadata images. These HTTP URLs are redirected to the https versions when available just fine in safari and SFSafariViewController. However, when using WKWebView, this redirection does not happen. The OS just blocks the non-https load altogether. If I try to hack around the issue by swapping "http" for "https" in the URL, often the sites break as they load their images, CSS and JavaScript from HTTP CDNs and those requests get blocked too. How can I get the same behavior in WKWebView as seen in Safari? Is there a configuration I can set? It seems crazy to me that Apple would make this change and just break clients using WKWebView.

P.S. Facebook is able to work around this somehow. I can't tell if it's a heavily hacked SFSafariViewController or they've somehow made the web view work. Does anyone know how they've accomplished this?

ricardopereira
  • 11,118
  • 5
  • 63
  • 81
Logan Shire
  • 5,013
  • 4
  • 29
  • 37

4 Answers4

3

Use NSAllowsArbitraryLoads. The key is still available for use; Apple just wants to make sure you have a good reason to use it. Displaying external content inside your app qualifies as such. Once the Apple ATS rules go into effect, you will need to provide an explanation why you need it, and why NSAllowsArbitraryLoadsInWebContent is not enough. Since you already have answers for that, there should be no problem getting your app pass the review process with NSAllowsArbitraryLoads.

As a note, Apple has postponed ATS requirement and will not go into effect in January 2017.

Léo Natan
  • 56,823
  • 9
  • 150
  • 195
0

After digging around in Apple's documentation here I found the new NSAllowsArbitraryLoadsInWebContent key. This fixes the issue for WKWebView, though frustratingly fetching images over http is still problematic. I'll probably end up having to proxy them through my own server.

Logan Shire
  • 5,013
  • 4
  • 29
  • 37
  • You do know that you can still use the `NSAllowsArbitraryLoads` key, right? You just have to have a satisfactory reason to do so, and yours - an app that displays external content - is good enough. Also, Apple has postponed ATS requirements for now: https://developer.apple.com/news/?id=12212016b – Léo Natan Dec 28 '16 at 10:36
  • @LeoNatan I read in the documentation that the above key was for things using the AVFoundation framework. How would one use it to simply load images over http and display them in an image view? – Logan Shire Dec 28 '16 at 10:37
  • Oh no, I meant `NSAllowsArbitraryLoads`. – Léo Natan Dec 28 '16 at 10:37
  • @LeoNatan Oh! I was unaware they backed off on that. – Logan Shire Dec 28 '16 at 10:38
  • They didn't back off on it. This key will still be available for use. For instance, any browser app would require this key. It's not going away. Apple just wants to make sure you have a good reason to use it. – Léo Natan Dec 28 '16 at 10:39
  • Ah, makes sense. Yeah we're sorta like a browser app. SFSafariViewController isn't good enough for our needs. – Logan Shire Dec 28 '16 at 10:40
0

While you can simply use NSAllowsArbitraryLoads' to globally turn off at transport security, this is not ideal, and will be more likely to be rejected by Apple without hey really rock solid justification.

A better solution, which will provide the correct behavior in both iOS 9 and iOS 10, is to put both NSAllowsArbitraryLoads and NSAllowsArbitraryLoadsInWebContent in your info.plist. Because iOS 9 does not acknowledge the NSAllowsArbitraryLoadsInWebContent, It will honor the NSAllowsArbitraryLoads, effectively turning off at transport security in iOS 9 devices for your app.

In iOS 10, if you include the NSAllowsArbitraryLoadsInWebContent'key, iOS will ignore the NSAllowsArbitraryLoads setting, only disabling app transport security only in web views in your app. This will mean your app is much more secure in iOS 10, which I believe will make apple more likely to except your justification for the use of your app transport security exceptions

wottle
  • 13,095
  • 4
  • 27
  • 68
  • As you can see from the OP's answer, the `NSAllowsArbitraryLoadsInWebContent` key is not enough in this case. The app does have a "really rock solid justification" however. – Léo Natan Dec 28 '16 at 18:28
  • I don't see anywhere in the original question that states the user tried to allow arbitrary loads in web content. I also don't see how my answer is not a better solution, since it doesn't just blindly allow any insecure content to be loaded in the app. There are way too many answers here on stack overflow that simply tell people to allow arbitrary loads, without giving options that provide a more secure solution. – wottle Dec 28 '16 at 18:32
  • The OP answered their own question with stating that exactly what you suggested is not enough. Take a look: http://stackoverflow.com/a/41360003/983912 – Léo Natan Dec 28 '16 at 18:33
  • There is absolutely nothing wrong with using `NSAllowsArbitraryLoads` when the application is displaying external content outside of the application developer's control. `NSAllowsArbitraryLoadsInWebContent` and `NSAllowsArbitraryLoadsForMedia` give a specific solution, but they are not always enough, as in this case. – Léo Natan Dec 28 '16 at 18:35
  • I never said that solution wouldn't work. But if the developer is only loading insecure content in webviews, you are disabling app transport security in all network activity in the app, when you may only need to disable it for web content. If the OP comes back and says that the `NSAllowsArbittaryLoadsInWebContent` setting does not work in his specific case, then you are correct. I just didn't see anything that would indicate that the OP tried doing that. To me, it is worth doing that first, and then only doing the global `NSAllowsArbittaryLoads` if the more secure solution didn't work. – wottle Dec 28 '16 at 19:18
  • "If the OP comes back and says" - you mean other than the answer by the OP themselves? – Léo Natan Dec 28 '16 at 19:38
  • @wottle, I explained to him that I tried NSAllowsArbitraryLoadsInWebContent which worked fine for WKWebView, but we also load images into image views where those images are hosted by 3rd parties on their CDNs from our sources. Those CDNs often do not support HTTPS. NSAllowsArbitraryLoadsForMedia only applies to media loaded through the AVFoundation framework. Downloading an image with NSURLSession to display in an image view gets blocked if it's not https. – Logan Shire Dec 28 '16 at 21:12
  • Ok, yes, if you are loading data outside a web view, this won't be enough. Thanks for the clarification. Just as a best practice, it is best to put additional information about a question in the question itself, not in an answer for your own question. Also, my answer explains how you can provide compatibility for both iOS 9 and iOS 10, which many devs will find important. – wottle Dec 29 '16 at 05:12
  • @LeoNatan , I'm just trying to make sure we have good answers on these questions, there's no need for you to get defensive. If you don't like my answer, vote it down. But based on the question alone, my answer is more complete and will address the problem, as originally stated, in the most secure way. – wottle Dec 29 '16 at 05:14
0

Edit: My below answer is incorrect. It does not work for sites which return XSL, for example RSS feeds hosted on feedburner. I was unable to find a solution for this, so unfortunately I am going back to enabling arbitrary loads.

Our app also has a generic RSS reader feature in it. We want to use ATS for better security and to be in compliance with Apple. In addition, disabling it is considered a high risk by many enterprise clients. As such, enabling "Allow Arbitrary Loads" is not a valid option for us.

For now, we've made the best of this by doing two things: 1. Enabling Allow Arbitrary Loads in Web Content. We also have a generic webview which displays customer content. 2. Using a non-visible WKWebView to load an RSS feed, then extracting the HTML from the webpage and parsing the XML. I've created a gist for that here

Somehow, this terrible hack seems to suit our purposes, for now.

It would be great to have a solution that allows you to override transport security at the URL session level.

Mike Sprague
  • 3,567
  • 1
  • 22
  • 25