NSAllowsArbitraryLoadsInWebContent in UIWebView

Should we expect this to work for UIWebView […], or is the support only available for WKWebView?

Yes. Originally

NSAllowsArbitraryLoadsInWebContent

I was testing this in my app with the iOS 10 simulator (Xcode 8, beta 5), and was not able to get UIWebView to function properly on non-ATS compliant hosts -- I get an error like so:

2016-08-12 11:20:59.666 eBay[2528:1559544] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)

I tested

NSAllowsArbitraryLoadsInWebContent

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Yes, the URL is

https://scgi.ebay.com/ws/eBayISAPI.dll?FYPShow

I'm downloading beta 6 now to see if anything has changed.

I took my UIWebView test app, changed the ATS dictionary to set just

NSAllowsArbitraryLoadsInWebContent

-webView:didFailLoadWithError:

(lldb) po error
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred
and a secure connection to the server cannot be made."
UserInfo={_kCFStreamErrorCodeKey=-9801,
NSLocalizedRecoverySuggestion=Would you like to connect to the
server anyway?, NSUnderlyingError=0x610000241c50 {Error
Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred
and a secure connection to the server cannot be made."
UserInfo={NSErrorFailingURLStringKey=https://fyp.ebay.com/
EnterUserInfo?&clientapptype=16, NSLocalizedRecoverySuggestion=Would
you like to connect to the server anyway?,
_kCFNetworkCFStreamSSLErrorOriginalValue=-9801,
_kCFStreamPropertySSLClientCertificateState=0,
NSLocalizedDescription=An SSL error has occurred and a secure
connection to the server cannot be made.,
_kCFStreamErrorDomainKey=3,
NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16, _kCFStreamErrorCodeKey=-9801}},
NSLocalizedDescription=An SSL error has occurred and a secure
connection to the server cannot be made.,
NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16,
NSErrorFailingURLStringKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16, _kCFStreamErrorDomainKey=3}

Note the failing URL,

https://fyp.ebay.com

NSAllowsArbitraryLoadsInWebContent

Poking at that server with

TLSTool

$ TLSTool s_client -connect fyp.ebay.com:443
*  input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.0
* cipher: RSA_WITH_RC4_128_MD5
* trust result: unspecified
* certificate info:
*  0 + rsaEncryption 2048 sha256-with-rsa-signature 'fyp.ebay.com'
*  1 + rsaEncryption 2048 sha256-with-rsa-signature 'Symantec Class 3 Secure Server CA - G4'
*  2  rsaEncryption 2048 sha1-with-rsa-signature 'VeriSign Class 3 Public Primary Certification Authority - G5'
^C

Oi vey! That cypher suite,

RSA_WITH_RC4_128_MD5

My guess as to what’s happening here is that

NSAllowsArbitraryLoadsInWebContent

scgi.ebay.com

The obvious workaround would be to continue to use

NSAllowsArbitraryLoads

You should also contact the site owner: the level of security for that site is way below what I would expect to see on the modern Internet.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for the very helpful answer. Bug filed here:

rdar://27892687

As noted in the bug, WKWebView appears to silently fail in this scenario, while UIWebView errors.

Agreed on the security settings -- I will separately pursue getting that fixed.

Hey guys,

Any update on this @Eskimo? I'm facing the issue with Xcode 8 Beta 6 for most of the requests that are non-ATS compliant.

Regards.

@eskimo:

It appears that the webview in this case is mandating Forward Secrecy by only advertising ECDHE ciphers. This seems overly restrictive, given that NSAllowsArbitraryLoadsInWebContent is turned on.

WireShark capture from iOS 10 beta 6 device below, with a UIWebView attempting to load fyp.ebay.com.

Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

My case should work if the additional non-ECDHE ciphers were available:

Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f

Any update on this @Eskimo?

From my perspective I’ve taken this about as far as I can:

• AFAICT this is a bug in the implementation of

  NSAllowsArbitraryLoadsInWebContent

  .

• LaddVanTOl has already filed a bug about it (r. 27,892,687).

• The workaround is to stick with

  NSAllowsArbitraryLoads

  until ATS Engineering fixes that bug.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks mate. Since beta 7 has been release, I will debug with this new version and hope it has been fixed. Anyway, i'll give feedback as soon as I finish testing so other developers know the current status.

PS: Bug still not fixed with new Beta 7

Oh, one more thing here. The specific cypher suite I mentioned above (

RSA_WITH_RC4_128_MD5

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

How about support for iOS9 UIWebviews?

How about support for iOS9 UIWebviews?

Check out the App Transport Security pinned post. In addition to a whole bunch of other info, it has a link to the current pre-release documentation, and that documentation specifically covers ATS, App Review and backwards compatibility.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

We have some questions about ATS.

First, is this setting OK in iOS9 and iOS10 to access 'HTTP' contents with 'UIWebview'?

<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<true/>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>

Second, do we have to justify the setting as this document says?

https://developer.apple.com/library/prerelease/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW59

> Your use of certain App Transport Security (ATS) keys triggers additional App Store review for your app, and requires you to provide justification. These keys are:

> ・NSAllowsArbitraryLoads

> ・NSExceptionAllowsInsecureHTTPLoads

> ・NSExceptionMinimumTLSVersion

Third, can we continue to use the setting in future ( 2017~ ) ?

thanks.

First, is this setting OK in iOS9 and iOS10 to access 'HTTP' contents with 'UIWebview'?

That depends on what you mean by “OK”:

• If you’re asking whether it will work, I expect so but the reality is that you should test it.

• If you’re asking whether it will pass App Review, that’s not something I can give a definitive answer to. I don’t work for App Review and can’t speak on their behalf.

Second, do we have to justify the setting as this document says?

Again, you’re asking about App Review policy, which isn’t something I can speak to. However, I should point out that the pre-release doc you linked to covers the backward compatibility issue (in the

NSAllowsArbitraryLoadsInWebContent

Third, can we continue to use the setting in future ( 2017~ ) ?

I can’t talk about the future beyond what we’ve actually announced.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you for the reply.

We verified NSAllowsArbitraryLoadInWebContent setting behavior.

Now we can load "http" content in UIWebView with NSAllowsArbitraryLoadInWebContent setting.

But in this setting, if we use NSURLSession, cannot load http resources.

So, please let me ask two additional question .

1

Does this specification will continue in the future?

2

If we use NSURLSeesion with NSAllowsArbitraryLoadsInWebContent setting after 2017, must we use NSURLSession "https" resources only?

thanks.

But in this setting, if we use NSURLSession, cannot load http resources.

Indeed.

1 Does this specification will continue in the future?

I would expect so.

NSAllowsArbitraryLoadsInWebContent

NSAllowsArbitraryLoads

2 If we use NSURLSeesion with NSAllowsArbitraryLoadsInWebContent setting after 2017, must we use NSURLSession "https" resources only?

No. You can use

NSAllowsArbitraryLoads

Personally, if I were in your shoes I’d simply switch to ATS-compatible HTTPS. It’s best for your users and avoids any App Review entanglements.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,

Thanks for all the info you've posted here but I also have a problem which I tried to solve since the first Xcode 8 beta release.

We have an app that's using a WebView for SSO and it's not fully ATS compatible as follows:

TLSTool s_client -connect sampledomain.com:443

returns:

* protocol: TLS 1.0

* cipher: RSA_WITH_3DES_EDE_CBC_SHA

I tried unsuccessfully to use NSAllowsArbitraryLoadsInWebContent and based on the LaddVanTOl comment it looks like the RSA_WITH_3DES_EDE_CBC_SHA is not in the list of ciphers supporting FS nor accepted as part of NSExceptionRequiresForwardSecrecy

A workaround is to use a NSExceptionDomains:

      <key>sampledomain.com</key>
      <dict>
          <key>NSExceptionRequiresForwardSecrecy</key>
          <false/>
        <key>NSTemporaryExceptionMinimumTLSVersion</key>
          <string>TLSv1.0</string>
      </dict>

but I was wondering if the NSAllowsArbitraryLoadsInWebContent fix will allow all ciphers not suporting FS
as well as TLSv1.0?
We've also used WKWebView and the error was the same as in WebView.

_kCFStreamErrorDomainKey:3

_kCFStreamErrorCodeKey:-9824

NSLocalizedDescription:An SSL error has occurred and a secure connection to the server cannot be made

Thanks for your time.

In speaking with the ATS team it’s clear that they intend

NSAllowsArbitraryLoadsInWebContent

With regards your specific case I expect

NSAllowsArbitraryLoadsInWebContent

Is the server you’re talking to on the wider Internet? If so, can you post the URL? If not, you should open a DTS tech support incident and we can take this offline.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

This issue is also critical for our app.

How to track it? Cannot find it in Apple's bug tracker.

This issue is also critical for our app. How to track it? Cannot find it in Apple's bug tracker.

Indeed. Bug Reporter will only let you see the status of requests that you file. What you can do here is file your own request and specifically ask for it to be dup’d to 27892687. You’ll then be able to see the status of that bug (and by “status” I mean the open and closed state, not any of the details).

I just took a look at 27892687 myself and it looks like it’s making real progress, although at this point it’s unlikely to catch the iOS 10.1 bus.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,

We have web-browser kind of iOS application. WKWebview is used for building the browser. App Transport Security specification looks like below

<key>NSAppTransportSecurity</key>

<dict>

<key>NSAllowsArbitraryLoads</key>

<true/>

<key>NSAllowsArbitraryLoadsInWebContent</key>

<true/>

...

</dict>

But I am facing issues with many websites in iOS 10. Eg. https://search.norton.com. I just verified using nscurl and found that Perfect Forward Secrecy is not enabled for this website.

Is NSAllowsArbitraryLoadsInWebContent expected to behave this way ? Not loading sites which does not support forward secrecy.

What is the best approach in ATS for application with web browser which needs load almost all the URLs?

Thanks in advance

Saranya Sivanandham

Is NSAllowsArbitraryLoadsInWebContent expected to behave this way?

I thought I was pretty clear about this in my post on 22 Sep. To recap:

• NSAllowsArbitraryLoadsInWebContent

  should allow arbitrary loads in a web view.

• If that’s not working for some specific sites, you should file a bug about it.

A number of developers have already filed bugs like this and ATS Engineering is actively working to fix them. AFAIK none of those fixes went into 10.1 but you should definitely re-test on any post-10.1 seeds that we might make in the future.

The only workaround to such problems right now is to eschew

NSAllowsArbitraryLoadsInWebContent

NSAllowsArbitraryLoads

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I just took a look at 27892687 myself and it looks like it’s making real progress, although at this point it’s unlikely to catch the iOS 10.1 bus.

27892687 is reported as fixed in the current 10.2 beta seed (14C5062e). If you were previously having problems with

NSAllowsArbitraryLoadsInWebContent

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Mr. Eskimo, I am still experiencing problems with NSAllowsArbitraryLoadsInWebContent. I have filed an Apple Radar, here is the Bug ID: 29093259.

Thanks,

Kevin

I am still experiencing problems with

NSAllowsArbitraryLoadsInWebContent

.

Bummer.

I have filed an Apple Radar, here is the Bug ID: 29093259.

Thanks.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Seeing similar behaviour and probable related - will have to check out the newest Beta. Had to ask though - this can't be *the* LAdd Van Tol, can it? Of VMUGM fame? (I hope it is, otherwise I just sound like an *****).