2

My iOS app included a privacy policy URL link, when users tap on it, it will open a HTTP (not HTTPS) page of my website in Safari, so do I need to disable App Transport Security for this? 

<key>NSAppTransportSecurity</key>
<dict>
    <!--Include to allow all connections (DANGER)-->
    <key>NSAllowsArbitraryLoads</key>
        <true/>
    </dict>
RRN
  • 1,127
  • 1
  • 12
  • 37

1 Answers1

1

No, you don't have to disable App Transport Security for opening HTTP URLs with UIApplication.open(_:), nor when you open it within an SFSafariViewController.

However, you do need to enable Allow Arbitrary Loads if you're planning to load a non-secure page in a WKWebView.

Tamás Sengel
  • 55,884
  • 29
  • 169
  • 223
  • Why WKWebView needs it, but not SFSafariViewController? @Tamás Sengel – RRN Oct 02 '18 at 13:55
  • 1
    Probably because SFSafariViewController is more secure, by default, compared to WKWebView. To quote Apple: "The user's activity and interaction with SFSafariViewController are not visible to your app, which cannot access AutoFill data, browsing history, or website data." – rodskagg Oct 02 '18 at 14:01
  • 1
    Officially, I believe it is because SFSafarViewController is a separate process from your app, so any ATS exceptions configured in your app don't apply to the Safari process. So it's essentially like loading the non-secure page in Safari, which has no access to your sandboxed app. – wottle Oct 10 '18 at 20:05