NSAllowsArbitraryLoadsInWebContent on iOS 9

Hi,

With App Transport Security enabled, I want to be able to load non HTTPS URLs from our webViews.
This can easily be done with NSAllowsArbitraryLoadsInWebContent set to YES on iOS 10 (while keeping the rest of the application secure).


However, on iOS 9 and below, this configuration key does not exist.
The documentation seems to recommend setting NSAllowsArbitraryLoads to YES:


NSAllowsArbitraryLoadsInWebContent

"To support older versions of iOS and macOS, you can employ this key and still manually configure ATS. To do so, set this key’s value to

YES
and also configure the
NSAllowsArbitraryLoads
subkeys."


Thus, can I assume that setting NSAllowsArbitraryLoads = YES under iOS 9 will not trigger an App Store Review justification or can I assume I can justify doing that since there are no other way to support non HTTPS request under iOS 9 for our webViews?


I asked this question to the App Store Review team but they would not answer as I did not submit any code so I'm hoping the forums can be more helpful.


Thanks a lot,
Augustin

Replies

The standard solution to this problem is to add two keys to your ATS dictionary:

  • NSAllowsArbitraryLoadsInWebContent
  • NSAllowsArbitraryLoads

This works as follows:

  • iOS 10 honours

    NSAllowsArbitraryLoadsInWebContent
  • iOS 9 ignores

    NSAllowsArbitraryLoadsInWebContent
    , but honours
    NSAllowsArbitraryLoads
  • older versions of iOS do not include ATS

IMPORTANT The presence of

NSAllowsArbitraryLoadsInWebContent
causes iOS 10 to ignore
NSAllowsArbitraryLoads
. This results in best practice security on iOS 10 while maintaining compatibility with iOS 9.

Note This behaviour is called out in the ATS documentation, which says:

If you add [

NSAllowsArbitraryLoadsInWebContent
] to your
Info.plist
file, then, irrespective of the value of the key, ATS ignores the value of the
NSAllowsArbitraryLoads
key.

and:

To support older versions of iOS and macOS, you can employ this key and still manually configure ATS. To do so, set this key’s value to YES and also configure the

NSAllowsArbitraryLoads
subkeys.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Note that Apple just updated their documentation on ATS & App Reviews to note that NSAllowsArbitraryLoadsInWebContent itself will trigger additional justification: https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html


So you will be facing additional app review scrutiny no matter the situation if you use NSAllowsArbitraryLoadsInWebContent.

Thanks Eskimo for answering. This is exactly what I do as I read the documentation but I think you miss the point of my question. Davem (below) got the point however. Can you confirm that this will trigger an App Review justification? If this is the case, I would like to know if I can justify this by saying I am following Apple's recommendation and there are no other way to do it for iOS 9? Thanks again!

I don’t work for App Review and thus can’t make definitive statements about how they’ll enforce their policy.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"