NSAllowsArbitraryLoadsInWebContent in UIWebView

I was reviewing the documentation for NSAllowsArbitraryLoadsInWebContent:


https://developer.apple.com/library/prerelease/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW60


This states:


"An optional Boolean value that applies only to content to be loaded into an instance of the following classes:

Set this key’s value to

YES
to obtain exemption from ATS policies in your app’s web views, without affecting the ATS-mandated security of your
NSURLSession
connections.

Default value is

NO
.

To support older versions of iOS and OS X, you can employ this key and still manually configure ATS. To do so, set this key’s value to

YES
and also configure the
NSAllowsArbitraryLoads
subkeys.

If you add this key to your

Info.plist
file, then, irrespective of the value of the key, ATS ignores the value of the
NSAllowsArbitraryLoads
key.

Available starting in iOS 10.0 and macOS 10.12."


I was testing this in my app with the iOS 10 simulator (Xcode 8, beta 5), and was not able to get UIWebView to function properly on non-ATS compliant hosts -- I get an error like so:


2016-08-12 11:20:59.666 eBay[2528:1559544] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)


Should we expect this to work for UIWebView in a future beta release, or is the support only available for WKWebView?


I saw Quinn's note, which only mentions WKWebView: https://forums.developer.apple.com/message/15705

Accepted Reply

I took my UIWebView test app, changed the ATS dictionary to set just

NSAllowsArbitraryLoadsInWebContent
, and then pointed the app at that URL. I then set a breakpoint on
-webView:didFailLoadWithError:
and printed the full error:
(lldb) po error
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred
and a secure connection to the server cannot be made."
UserInfo={_kCFStreamErrorCodeKey=-9801,
NSLocalizedRecoverySuggestion=Would you like to connect to the
server anyway?, NSUnderlyingError=0x610000241c50 {Error
Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred
and a secure connection to the server cannot be made."
UserInfo={NSErrorFailingURLStringKey=https://fyp.ebay.com/
EnterUserInfo?&clientapptype=16, NSLocalizedRecoverySuggestion=Would
you like to connect to the server anyway?,
_kCFNetworkCFStreamSSLErrorOriginalValue=-9801,
_kCFStreamPropertySSLClientCertificateState=0,
NSLocalizedDescription=An SSL error has occurred and a secure
connection to the server cannot be made.,
_kCFStreamErrorDomainKey=3,
NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16, _kCFStreamErrorCodeKey=-9801}},
NSLocalizedDescription=An SSL error has occurred and a secure
connection to the server cannot be made.,
NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16,
NSErrorFailingURLStringKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16, _kCFStreamErrorDomainKey=3}

Note the failing URL,

https://fyp.ebay.com
. So
NSAllowsArbitraryLoadsInWebContent
is working for the initial URL but failing for this one.

Poking at that server with

TLSTool
I see the following:
$ TLSTool s_client -connect fyp.ebay.com:443
*  input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.0
* cipher: RSA_WITH_RC4_128_MD5
* trust result: unspecified
* certificate info:
*  0 + rsaEncryption 2048 sha256-with-rsa-signature 'fyp.ebay.com'
*  1 + rsaEncryption 2048 sha256-with-rsa-signature 'Symantec Class 3 Secure Server CA - G4'
*  2  rsaEncryption 2048 sha1-with-rsa-signature 'VeriSign Class 3 Public Primary Certification Authority - G5'
^C

Oi vey! That cypher suite,

RSA_WITH_RC4_128_MD5
, is chock full of obsolete and insecure protocols (RC4, MD5, no forward secrecy).

My guess as to what’s happening here is that

NSAllowsArbitraryLoadsInWebContent
has disabled most, but not all, of the ATS checks for UIWebView. So you can load plain text sites, and sites with other problems (for example,
scgi.ebay.com
doesn’t support forward secrecy), but either RC4 or MD5 is still tripping it up. Please file a bug about this, then post your bug number here, just for the record.

The obvious workaround would be to continue to use

NSAllowsArbitraryLoads
until this problem is resolved.

You should also contact the site owner: the level of security for that site is way below what I would expect to see on the modern Internet.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

Hi Eskimo,

Thanks for all the info you've posted here but I also have a problem which I tried to solve since the first Xcode 8 beta release.


We have an app that's using a WebView for SSO and it's not fully ATS compatible as follows:

TLSTool s_client -connect sampledomain.com:443

returns:

* protocol: TLS 1.0

* cipher: RSA_WITH_3DES_EDE_CBC_SHA


I tried unsuccessfully to use NSAllowsArbitraryLoadsInWebContent and based on the LaddVanTOl comment it looks like the RSA_WITH_3DES_EDE_CBC_SHA is not in the list of ciphers supporting FS nor accepted as part of NSExceptionRequiresForwardSecrecy

A workaround is to use a NSExceptionDomains:

      <key>sampledomain.com</key>
      <dict>
          <key>NSExceptionRequiresForwardSecrecy</key>
          <false/>
        <key>NSTemporaryExceptionMinimumTLSVersion</key>
          <string>TLSv1.0</string>
      </dict>


but I was wondering if the NSAllowsArbitraryLoadsInWebContent fix will allow all ciphers not suporting FS
as well as TLSv1.0?
We've also used WKWebView and the error was the same as in WebView.

_kCFStreamErrorDomainKey:3

_kCFStreamErrorCodeKey:-9824

NSLocalizedDescription:An SSL error has occurred and a secure connection to the server cannot be made


Thanks for your time.

In speaking with the ATS team it’s clear that they intend

NSAllowsArbitraryLoadsInWebContent
to allow arbitrary loads, that is, it should completely disable ATS for all resources loaded by the web view, including resources loaded indirectly (for example, resources loaded by the media subsystem as part of movie playback within the web view). I can’t guarantee that it works in all possible cases, but if it doesn’t then that’s bugworthy.

With regards your specific case I expect

NSAllowsArbitraryLoadsInWebContent
to encompass both the forward secrecy and TLS version exceptions. If that’s not working then it’s something I’d like to look at in more depth.

Is the server you’re talking to on the wider Internet? If so, can you post the URL? If not, you should open a DTS tech support incident and we can take this offline.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

This issue is also critical for our app.

How to track it? Cannot find it in Apple's bug tracker.

This issue is also critical for our app. How to track it? Cannot find it in Apple's bug tracker.

Indeed. Bug Reporter will only let you see the status of requests that you file. What you can do here is file your own request and specifically ask for it to be dup’d to 27892687. You’ll then be able to see the status of that bug (and by “status” I mean the open and closed state, not any of the details).

I just took a look at 27892687 myself and it looks like it’s making real progress, although at this point it’s unlikely to catch the iOS 10.1 bus.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,


We have web-browser kind of iOS application. WKWebview is used for building the browser. App Transport Security specification looks like below


<key>NSAppTransportSecurity</key>

<dict>

<key>NSAllowsArbitraryLoads</key>

<true/>

<key>NSAllowsArbitraryLoadsInWebContent</key>

<true/>

...

</dict>


But I am facing issues with many websites in iOS 10. Eg. https://search.norton.com. I just verified using nscurl and found that Perfect Forward Secrecy is not enabled for this website.

Is NSAllowsArbitraryLoadsInWebContent expected to behave this way ? Not loading sites which does not support forward secrecy.

What is the best approach in ATS for application with web browser which needs load almost all the URLs?



Thanks in advance

Saranya Sivanandham

Is NSAllowsArbitraryLoadsInWebContent expected to behave this way?

I thought I was pretty clear about this in my post on 22 Sep. To recap:

  • NSAllowsArbitraryLoadsInWebContent
    should allow arbitrary loads in a web view.
  • If that’s not working for some specific sites, you should file a bug about it.

A number of developers have already filed bugs like this and ATS Engineering is actively working to fix them. AFAIK none of those fixes went into 10.1 but you should definitely re-test on any post-10.1 seeds that we might make in the future.

The only workaround to such problems right now is to eschew

NSAllowsArbitraryLoadsInWebContent
and stick with
NSAllowsArbitraryLoads
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I just took a look at 27892687 myself and it looks like it’s making real progress, although at this point it’s unlikely to catch the iOS 10.1 bus.

27892687 is reported as fixed in the current 10.2 beta seed (14C5062e). If you were previously having problems with

NSAllowsArbitraryLoadsInWebContent
, please try again on that seed and, if you still see problems, please file a bug and post the bug number here.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Mr. Eskimo, I am still experiencing problems with NSAllowsArbitraryLoadsInWebContent. I have filed an Apple Radar, here is the Bug ID: 29093259.


Thanks,

Kevin

I am still experiencing problems with

NSAllowsArbitraryLoadsInWebContent
.

Bummer.

I have filed an Apple Radar, here is the Bug ID: 29093259.

Thanks.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Seeing similar behaviour and probable related - will have to check out the newest Beta. Had to ask though - this can't be *the* LAdd Van Tol, can it? Of VMUGM fame? (I hope it is, otherwise I just sound like an *****).

Apple is poised to reject apps that have `NSAllowsArbitraryLoads` in a few weeks. If this isn't fixed yet then it's going to cause a lot of problems. Do you know if it will be ready before January?

Do you know if it will be ready before January?

With regards the specific issue I mentioned above (r. 27892687), see my Nov 1 post later in this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Same here, filed bug 30233586

Hi,


We're having a similiar issue on iOS 10.0 or 10.2 with a website loaded with HTTPS in WKWebview. Surprinsingly, removing the key NSAllowsArbitraryLoadsInWebContent and keeping only NSAllowsArbitraryLoads does not solve the issue.


Loading the same URL in Safari is working fine.


We did filed a bug too: 30239888


Thanks.

chris.hoff wrote:

Same here, filed bug 30233586

Please test this with the latest iOS 10.3 beta; AFAICT it works there.

btw

NSAllowsArbitraryLoadsInWebContent
was fixed to allow servers that don’t support forward secrecy in 10.2. The problem you’re having is that your server only supports TLS 1.0. That’s something you really need to fix on the server side; TLS 1.0 is very worrisome security-wise.

dloic wrote:

We did filed a bug too: 30239888

On 10.2 I see the same failure as you do. On the latest 10.3 beta I don’t see that failure, but the page still doesn’t load, even when I remove

NSAllowsArbitraryLoadsInWebContent
and set
NSAllowsArbitraryLoads
. I believe there are bigger problems afoot here.

Also, your server has secure and pay in the name, but uses 3DES; that’s quite worrisome as well.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"