1

What i'm trying to do is open a website in Safari, through having the user click on a link that is displayed in my UIWebView.

I started by reading through the question/answers on: Open specific link in Safari from UIWebView

Afterwhich I implemented the following: 

class HomeInfoView: UIViewController, UIWebViewDelegate{

override func viewDidLoad() {
    super.viewDidLoad()

    let localfilePath = NSBundle.mainBundle().URLForResource("homeInfo", withExtension: "html");
    let myRequest = NSURLRequest(URL: localfilePath!);
    WebViewer.loadRequest(myRequest);
    WebViewer.scrollView.bounces = false
}


func webView(webView: UIWebView, shouldStartLoadWithRequest request: NSURLRequest, navigationType: UIWebViewNavigationType) -> Bool {
    if let url = request.URL where navigationType == UIWebViewNavigationType.LinkClicked {
        UIApplication.sharedApplication().openURL(url)
        return false
    }
    return true
}

However when trying to use the link I still get an error

"App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file."

I think I'm 90% of the way there, yet I'm not sure how to edit my .plist to allow the exception. Or if there is something else that I've missed.

(I would've added this as a comment to the original post but my rank isn't high enough yet)

Community
  • 1
  • 1
Diesel
  • 519
  • 1
  • 6
  • 24

1 Answers1

0

You will need to either grant permission to that specific domain in your info.plist : 

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>testdomain.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
            <false/>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSRequiresCertificateTransparency</key>
            <false/>
        </dict>
    </dict>
</dict>

This info in your plist basically sets up an exception in your app. It allows you to access the testdomain.com domain (insert whatever domain you are trying to access). It lets you access all of the subdomains and then sets a minimum TLS version to help ensure the site you are connecting to is the one you want.

Or you you can simply allow access to all http websites, which is not recommended. 

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

This isn't recommended because it allows your app to access any http:// domain, which can be a security problem because it can make your app vulnerable to man-in-the-middle attacks.

Check out Apple's documentation for more info on this. https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33

faircloud
  • 687
  • 6
  • 14
  • Could you add a little more detail on how the first one works, why the second one isn't recommended? Thanks for the help :) I'm still really new to Xcode/Swift – Diesel Jan 25 '17 at 14:52
  • Thanks for the edit! That extra detail helps. The issue I have now though is that the links open in the same UIWebView, instead of Safari. Any suggestions? – Diesel Jan 25 '17 at 16:16
  • You still have the UIApplication.sharedApplication().openURL code there? – faircloud Jan 25 '17 at 16:29
  • 1
    check to make sure you are entering this block `if let url = request.URL where navigationType == UIWebViewNavigationType.LinkClicked { UIApplication.sharedApplication().openURL(url) return false }` – faircloud Jan 25 '17 at 16:31
  • In regards to the security risk of **NSAllowsArbitraryLoads**, this is more of a concern for secure transfer of information, not general phone security correct? If the sites that are linked to are purely for documentation and the app contains no sensitive information (think workout app, not banking app) there should be no 'security' issue with using the second method? Or are the security risks more severe than I'm considering? – Diesel Jan 25 '17 at 16:43
  • Yep, I've got this implemented, ** func webView(webView: UIWebView, shouldStartLoadWithRequest request: NSURLRequest, navigationType: UIWebViewNavigationType) -> Bool { if let url = request.URL where navigationType == UIWebViewNavigationType.LinkClicked { UIApplication.sharedApplication().openURL(url); return false }; return false }** – Diesel Jan 25 '17 at 17:00
  • 1
    Does the code enter the `if let` block when you debug it though? If the url variable is not being set then your code would simply load the request in the UIWebView. For the security question, it is up to you. A hacker could pose as that documentation site and then request info from that user without them realizing who they are talking to, in the worst case scenario. – faircloud Jan 25 '17 at 17:49
  • Yup, that was it, forgot to set 'WebViewer.delegate = self', working now. Thanks for all the help! – Diesel Jan 25 '17 at 19:46