4 Replies
      Latest reply: Oct 31, 2016 5:02 AM by eskimo RSS
      Sherpastin Level 1 Level 1 (0 points)

        Hi,


        With App Transport Security enabled, I want to be able to load non HTTPS URLs from our webViews.
        This can easily be done with NSAllowsArbitraryLoadsInWebContent set to YES on iOS 10 (while keeping the rest of the application secure).

         

        However, on iOS 9 and below, this configuration key does not exist.
        The documentation seems to recommend setting NSAllowsArbitraryLoads to YES:

         

        NSAllowsArbitraryLoadsInWebContent

        "To support older versions of iOS and macOS, you can employ this key and still manually configure ATS. To do so, set this key’s value to YES and also configure the NSAllowsArbitraryLoads subkeys."

         

        Thus, can I assume that setting NSAllowsArbitraryLoads = YES under iOS 9 will not trigger an App Store Review justification or can I assume I can justify doing that since there are no other way to support non HTTPS request under iOS 9 for our webViews?

         

        I asked this question to the App Store Review team but they would not answer as I did not submit any code so I'm hoping the forums can be more helpful.

         

        Thanks a lot,
        Augustin

        • Re: NSAllowsArbitraryLoadsInWebContent on iOS 9
          eskimo Apple Staff Apple Staff (6,490 points)

          The standard solution to this problem is to add two keys to your ATS dictionary:

          • NSAllowsArbitraryLoadsInWebContent

          • NSAllowsArbitraryLoads

          This works as follows:

          • iOS 10 honours NSAllowsArbitraryLoadsInWebContent

          • iOS 9 ignores NSAllowsArbitraryLoadsInWebContent, but honours NSAllowsArbitraryLoads

          • older versions of iOS do not include ATS

          IMPORTANT The presence of NSAllowsArbitraryLoadsInWebContent causes iOS 10 to ignore NSAllowsArbitraryLoads.  This results in best practice security on iOS 10 while maintaining compatibility with iOS 9.

          Note This behaviour is called out in the ATS documentation, which says:

          If you add [NSAllowsArbitraryLoadsInWebContent] to your Info.plistfile, then, irrespective of the value of the key, ATS ignores the value of the NSAllowsArbitraryLoads key.

          and:

          To support older versions of iOS and macOS, you can employ this key and still manually configure ATS. To do so, set this key’s value to YES and also configure the NSAllowsArbitraryLoads subkeys.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: NSAllowsArbitraryLoadsInWebContent on iOS 9
              Sherpastin Level 1 Level 1 (0 points)

              Thanks Eskimo for answering.  This is exactly what I do as I read the documentation but I think you miss the point of my question.  Davem (below) got the point however.  Can you confirm that this will trigger an App Review justification?  If this is the case, I would like to know if I can justify this by saying I am following Apple's recommendation and there are no other way to do it for iOS 9?  Thanks again!

                • Re: NSAllowsArbitraryLoadsInWebContent on iOS 9
                  eskimo Apple Staff Apple Staff (6,490 points)

                  I don’t work for App Review and thus can’t make definitive statements about how they’ll enforce their policy.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

              • Re: NSAllowsArbitraryLoadsInWebContent on iOS 9
                davem Level 1 Level 1 (0 points)

                Note that Apple just updated their documentation on ATS & App Reviews to note that NSAllowsArbitraryLoadsInWebContent itself will trigger additional justification: https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html

                 

                So you will be facing additional app review scrutiny no matter the situation if you use NSAllowsArbitraryLoadsInWebContent.