HTTP losthost scheme for PAC file still working on latest Montery Beta 9, is it by design?

Question

qb_s OP

Created Oct ’21

Replies 3

Boosts 0

Views 2k

Participants 3

We noticed from the Monterey Beta 8/Beta 9 release notes that -

Support for cleartext HTTP URL schemes for Proxy Automatic Configuration (PAC) is now deprecated. Use only HTTPS URL schemes for PAC. This affects all PAC configurations, including, but not limited to, configurations set via Settings, System Preferences, profiles, and URLSession APIs such as connectionProxyDictionary and CFNetworkExecuteProxyAutoConfigurationURL(::::). If you configure a cleartext HTTP PAC URL, the system may upgrade it to HTTPS during PAC file loads. Web Proxy Auto-Discovery (WPAD) Protocol via DNS isn’t affected. Dynamic Host Configuration Protocol (DHCP) Option 252 WPAD may attempt to upgrade cleartext HTTP URLs to HTTPS during PAC file loads. (61981845)

We have a product that delivers a PAC file through http://localhost, we verified with Beta 8 and Beta 9 builds this didn't cause any problem. The question is, is this expected? The release notes make it sounds like the deprecation is enforced, or maybe this is because we are using "localhost"? If it's expected, are we going to keep this behavior in the final release?

(Because it's pretty late for us to fix the HTTP scheme in time for our product now. We'd be happy if we can get away with it for now and plan for a proper fix in the next release.)

Boost

Answer 1

Systems Engineer OP

Apple

Oct ’21

We have a product that delivers a PAC file through http://localhost, we verified with Beta 8 and Beta 9 builds this didn't cause any problem. The question is, is this expected? The release notes make it sounds like the deprecation is enforced, or maybe this is because we are using "localhost"?

Great question. If you do change the hostname or IP to a machine offsite and still use HTTP, does this cause a failure? If not I'd like to get a bug report down about this so that it can be further investigated. If you do end up opening a bug report, please respond back with the Feedback ID as I would be interested in this.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

qb_s OP

Oct ’21

Thanks Matt! Looks like it is not enforced for remote connections either. Filed a ticket FB9716553.

From some logs we came through it looks like the Network framework tried to upgrade the connection to HTTPS and failed (expected because we didn't enable HTTPS on the target host during the test) and then it just fell back.

Still to our own concern - being this close to release we don't expect this behavior to change in GA right? ;p

0

Answer 3

mcnaugha OP

Mar ’23

The issue here might be understanding the term "deprecated".

Apple uses this to indicate that a feature has been earmarked for future removal. It does not mean the feature is already removed.

Unfortuanately, it is very commonly misinterpretted to mean a feature has been removed. I have even seen some developers, including Microsoft employees, use the term as "the feature is gone". I have also seen Microsoft use it correctly, as Apple usually does, as a warning that the feature is going EOL but has not been removed yet.

Deprecation really means "we're serving you notice that this feature will be gone in a future release but not yet". Any other use is incorrect.

1