NSAllowsArbitraryLoadsInWebContent in UIWebView

I was reviewing the documentation for NSAllowsArbitraryLoadsInWebContent:


https://developer.apple.com/library/prerelease/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW60


This states:


"An optional Boolean value that applies only to content to be loaded into an instance of the following classes:

Set this key’s value to

YES
to obtain exemption from ATS policies in your app’s web views, without affecting the ATS-mandated security of your
NSURLSession
connections.

Default value is

NO
.

To support older versions of iOS and OS X, you can employ this key and still manually configure ATS. To do so, set this key’s value to

YES
and also configure the
NSAllowsArbitraryLoads
subkeys.

If you add this key to your

Info.plist
file, then, irrespective of the value of the key, ATS ignores the value of the
NSAllowsArbitraryLoads
key.

Available starting in iOS 10.0 and macOS 10.12."


I was testing this in my app with the iOS 10 simulator (Xcode 8, beta 5), and was not able to get UIWebView to function properly on non-ATS compliant hosts -- I get an error like so:


2016-08-12 11:20:59.666 eBay[2528:1559544] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)


Should we expect this to work for UIWebView in a future beta release, or is the support only available for WKWebView?


I saw Quinn's note, which only mentions WKWebView: https://forums.developer.apple.com/message/15705

Accepted Reply

I took my UIWebView test app, changed the ATS dictionary to set just

NSAllowsArbitraryLoadsInWebContent
, and then pointed the app at that URL. I then set a breakpoint on
-webView:didFailLoadWithError:
and printed the full error:
(lldb) po error
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred
and a secure connection to the server cannot be made."
UserInfo={_kCFStreamErrorCodeKey=-9801,
NSLocalizedRecoverySuggestion=Would you like to connect to the
server anyway?, NSUnderlyingError=0x610000241c50 {Error
Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred
and a secure connection to the server cannot be made."
UserInfo={NSErrorFailingURLStringKey=https://fyp.ebay.com/
EnterUserInfo?&clientapptype=16, NSLocalizedRecoverySuggestion=Would
you like to connect to the server anyway?,
_kCFNetworkCFStreamSSLErrorOriginalValue=-9801,
_kCFStreamPropertySSLClientCertificateState=0,
NSLocalizedDescription=An SSL error has occurred and a secure
connection to the server cannot be made.,
_kCFStreamErrorDomainKey=3,
NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16, _kCFStreamErrorCodeKey=-9801}},
NSLocalizedDescription=An SSL error has occurred and a secure
connection to the server cannot be made.,
NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16,
NSErrorFailingURLStringKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16, _kCFStreamErrorDomainKey=3}

Note the failing URL,

https://fyp.ebay.com
. So
NSAllowsArbitraryLoadsInWebContent
is working for the initial URL but failing for this one.

Poking at that server with

TLSTool
I see the following:
$ TLSTool s_client -connect fyp.ebay.com:443
*  input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.0
* cipher: RSA_WITH_RC4_128_MD5
* trust result: unspecified
* certificate info:
*  0 + rsaEncryption 2048 sha256-with-rsa-signature 'fyp.ebay.com'
*  1 + rsaEncryption 2048 sha256-with-rsa-signature 'Symantec Class 3 Secure Server CA - G4'
*  2  rsaEncryption 2048 sha1-with-rsa-signature 'VeriSign Class 3 Public Primary Certification Authority - G5'
^C

Oi vey! That cypher suite,

RSA_WITH_RC4_128_MD5
, is chock full of obsolete and insecure protocols (RC4, MD5, no forward secrecy).

My guess as to what’s happening here is that

NSAllowsArbitraryLoadsInWebContent
has disabled most, but not all, of the ATS checks for UIWebView. So you can load plain text sites, and sites with other problems (for example,
scgi.ebay.com
doesn’t support forward secrecy), but either RC4 or MD5 is still tripping it up. Please file a bug about this, then post your bug number here, just for the record.

The obvious workaround would be to continue to use

NSAllowsArbitraryLoads
until this problem is resolved.

You should also contact the site owner: the level of security for that site is way below what I would expect to see on the modern Internet.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

Should we expect this to work for UIWebView […], or is the support only available for WKWebView?

Yes. Originally

NSAllowsArbitraryLoadsInWebContent
was only spec’d to support WKWebView. The support for UIWebView is a post-WWDC addition (r. 26903639). I’m now off to update my pinned post to mention that (-:

I was testing this in my app with the iOS 10 simulator (Xcode 8, beta 5), and was not able to get UIWebView to function properly on non-ATS compliant hosts -- I get an error like so:

2016-08-12 11:20:59.666 eBay[2528:1559544] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)

I tested

NSAllowsArbitraryLoadsInWebContent
with UIWebView accessing a plain HTTP site and it worked for me (like you, in the Xcode 8.0b5 simulator). I suspect that this issue might be site specific. Can you post the URL that’s causing problems?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Yes, the URL is


https://scgi.ebay.com/ws/eBayISAPI.dll?FYPShow


I'm downloading beta 6 now to see if anything has changed.

I took my UIWebView test app, changed the ATS dictionary to set just

NSAllowsArbitraryLoadsInWebContent
, and then pointed the app at that URL. I then set a breakpoint on
-webView:didFailLoadWithError:
and printed the full error:
(lldb) po error
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred
and a secure connection to the server cannot be made."
UserInfo={_kCFStreamErrorCodeKey=-9801,
NSLocalizedRecoverySuggestion=Would you like to connect to the
server anyway?, NSUnderlyingError=0x610000241c50 {Error
Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred
and a secure connection to the server cannot be made."
UserInfo={NSErrorFailingURLStringKey=https://fyp.ebay.com/
EnterUserInfo?&clientapptype=16, NSLocalizedRecoverySuggestion=Would
you like to connect to the server anyway?,
_kCFNetworkCFStreamSSLErrorOriginalValue=-9801,
_kCFStreamPropertySSLClientCertificateState=0,
NSLocalizedDescription=An SSL error has occurred and a secure
connection to the server cannot be made.,
_kCFStreamErrorDomainKey=3,
NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16, _kCFStreamErrorCodeKey=-9801}},
NSLocalizedDescription=An SSL error has occurred and a secure
connection to the server cannot be made.,
NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16,
NSErrorFailingURLStringKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16, _kCFStreamErrorDomainKey=3}

Note the failing URL,

https://fyp.ebay.com
. So
NSAllowsArbitraryLoadsInWebContent
is working for the initial URL but failing for this one.

Poking at that server with

TLSTool
I see the following:
$ TLSTool s_client -connect fyp.ebay.com:443
*  input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.0
* cipher: RSA_WITH_RC4_128_MD5
* trust result: unspecified
* certificate info:
*  0 + rsaEncryption 2048 sha256-with-rsa-signature 'fyp.ebay.com'
*  1 + rsaEncryption 2048 sha256-with-rsa-signature 'Symantec Class 3 Secure Server CA - G4'
*  2  rsaEncryption 2048 sha1-with-rsa-signature 'VeriSign Class 3 Public Primary Certification Authority - G5'
^C

Oi vey! That cypher suite,

RSA_WITH_RC4_128_MD5
, is chock full of obsolete and insecure protocols (RC4, MD5, no forward secrecy).

My guess as to what’s happening here is that

NSAllowsArbitraryLoadsInWebContent
has disabled most, but not all, of the ATS checks for UIWebView. So you can load plain text sites, and sites with other problems (for example,
scgi.ebay.com
doesn’t support forward secrecy), but either RC4 or MD5 is still tripping it up. Please file a bug about this, then post your bug number here, just for the record.

The obvious workaround would be to continue to use

NSAllowsArbitraryLoads
until this problem is resolved.

You should also contact the site owner: the level of security for that site is way below what I would expect to see on the modern Internet.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for the very helpful answer. Bug filed here:


rdar://27892687


As noted in the bug, WKWebView appears to silently fail in this scenario, while UIWebView errors.


Agreed on the security settings -- I will separately pursue getting that fixed.

Hey guys,


Any update on this @Eskimo? I'm facing the issue with Xcode 8 Beta 6 for most of the requests that are non-ATS compliant.


Regards.

@eskimo:

It appears that the webview in this case is mandating Forward Secrecy by only advertising ECDHE ciphers. This seems overly restrictive, given that NSAllowsArbitraryLoadsInWebContent is turned on.


WireShark capture from iOS 10 beta 6 device below, with a UIWebView attempting to load fyp.ebay.com.

Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

My case should work if the additional non-ECDHE ciphers were available:

Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f

Any update on this @Eskimo?

From my perspective I’ve taken this about as far as I can:

  • AFAICT this is a bug in the implementation of

    NSAllowsArbitraryLoadsInWebContent
    .
  • LaddVanTOl has already filed a bug about it (r. 27,892,687).

  • The workaround is to stick with

    NSAllowsArbitraryLoads
    until ATS Engineering fixes that bug.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks mate. Since beta 7 has been release, I will debug with this new version and hope it has been fixed. Anyway, i'll give feedback as soon as I finish testing so other developers know the current status.


PS: Bug still not fixed with new Beta 7

Oh, one more thing here. The specific cypher suite I mentioned above (

RSA_WITH_RC4_128_MD5
) should not work at all on iOS 10 because we’ve disabled RC4 entirely (as mentioned in WWDC 2016 Session 706 What’s New in Security). I suspect what’s going on here is that the server is choosing an RC4-based cypher suite if the client offers it, but choosing some other suite otherwise, and that this other suite is falling afoul of the forward secrecy problem that LaddVanTOl noticed.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

How about support for iOS9 UIWebviews?

How about support for iOS9 UIWebviews?

Check out the App Transport Security pinned post. In addition to a whole bunch of other info, it has a link to the current pre-release documentation, and that documentation specifically covers ATS, App Review and backwards compatibility.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

We have some questions about ATS.


First, is this setting OK in iOS9 and iOS10 to access 'HTTP' contents with 'UIWebview'?

<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<true/>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>


Second, do we have to justify the setting as this document says?


https://developer.apple.com/library/prerelease/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW59

> Your use of certain App Transport Security (ATS) keys triggers additional App Store review for your app, and requires you to provide justification. These keys are:

> ・NSAllowsArbitraryLoads

> ・NSExceptionAllowsInsecureHTTPLoads

> ・NSExceptionMinimumTLSVersion

Third, can we continue to use the setting in future ( 2017~ ) ?


thanks.

First, is this setting OK in iOS9 and iOS10 to access 'HTTP' contents with 'UIWebview'?

That depends on what you mean by “OK”:

  • If you’re asking whether it will work, I expect so but the reality is that you should test it.

  • If you’re asking whether it will pass App Review, that’s not something I can give a definitive answer to. I don’t work for App Review and can’t speak on their behalf.

Second, do we have to justify the setting as this document says?

Again, you’re asking about App Review policy, which isn’t something I can speak to. However, I should point out that the pre-release doc you linked to covers the backward compatibility issue (in the

NSAllowsArbitraryLoadsInWebContent
row in Table 2).

Third, can we continue to use the setting in future ( 2017~ ) ?

I can’t talk about the future beyond what we’ve actually announced.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you for the reply.


We verified NSAllowsArbitraryLoadInWebContent setting behavior.

Now we can load "http" content in UIWebView with NSAllowsArbitraryLoadInWebContent setting.

But in this setting, if we use NSURLSession, cannot load http resources.

So, please let me ask two additional question .


1

Does this specification will continue in the future?


2

If we use NSURLSeesion with NSAllowsArbitraryLoadsInWebContent setting after 2017, must we use NSURLSession "https" resources only?


thanks.

But in this setting, if we use NSURLSession, cannot load http resources.

Indeed.

1 Does this specification will continue in the future?

I would expect so.

NSAllowsArbitraryLoadsInWebContent
was specifically designed to allow arbitrary loads in a web view only. It does not affect loads via NSURLSession. If you want to allow arbitrary loads in NSURLSession, set
NSAllowsArbitraryLoads
.

2 If we use NSURLSeesion with NSAllowsArbitraryLoadsInWebContent setting after 2017, must we use NSURLSession "https" resources only?

No. You can use

NSAllowsArbitraryLoads
as I mentioned above, with the caveat that you must justify that use to App Review. My App Transport Security pinned post has more on this, including a link to the documentation that specifically addresses the App Review side of things.

Personally, if I were in your shoes I’d simply switch to ATS-compatible HTTPS. It’s best for your users and avoids any App Review entanglements.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"