31 Replies
      Latest reply: Apr 3, 2017 1:51 PM by dloic RSS
      LaddVanTOl Level 1 Level 1 (0 points)

        I was reviewing the documentation for NSAllowsArbitraryLoadsInWebContent:

         

        https://developer.apple.com/library/prerelease/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW60

         

        This states:

         

        "An optional Boolean value that applies only to content to be loaded into an instance of the following classes:

        Set this key’s value to YES to obtain exemption from ATS policies in your app’s web views, without affecting the ATS-mandated security of your NSURLSession connections.

        Default value is NO.

        To support older versions of iOS and OS X, you can employ this key and still manually configure ATS. To do so, set this key’s value to YESand also configure the NSAllowsArbitraryLoads subkeys.

        If you add this key to your Info.plist file, then, irrespective of the value of the key, ATS ignores the value of theNSAllowsArbitraryLoads key.

        Available starting in iOS 10.0 and macOS 10.12."

         

        I was testing this in my app with the iOS 10 simulator (Xcode 8, beta 5), and was not able to get UIWebView to function properly on non-ATS compliant hosts -- I get an error like so:

         

        2016-08-12 11:20:59.666 eBay[2528:1559544] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)

         

        Should we expect this to work for UIWebView in a future beta release, or is the support only available for WKWebView?

         

        I saw Quinn's note, which only mentions WKWebView: https://forums.developer.apple.com/message/15705

        • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
          eskimo Apple Staff Apple Staff (6,665 points)

          Should we expect this to work for UIWebView […], or is the support only available for WKWebView?

          Yes.  Originally NSAllowsArbitraryLoadsInWebContent was only spec’d to support WKWebView.  The support for UIWebView is a post-WWDC addition (r. 26903639).  I’m now off to update my pinned post to mention that (-:

          I was testing this in my app with the iOS 10 simulator (Xcode 8, beta 5), and was not able to get UIWebView to function properly on non-ATS compliant hosts -- I get an error like so:

          2016-08-12 11:20:59.666 eBay[2528:1559544] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)

          I tested NSAllowsArbitraryLoadsInWebContent with UIWebView accessing a plain HTTP site and it worked for me (like you, in the Xcode 8.0b5 simulator).  I suspect that this issue might be site specific.  Can you post the URL that’s causing problems?

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
              LaddVanTOl Level 1 Level 1 (0 points)

              Yes, the URL is

               

              https://scgi.ebay.com/ws/eBayISAPI.dll?FYPShow

               

              I'm downloading beta 6 now to see if anything has changed.

                • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                  eskimo Apple Staff Apple Staff (6,665 points)

                  I took my UIWebView test app, changed the ATS dictionary to set just NSAllowsArbitraryLoadsInWebContent, and then pointed the app at that URL.  I then set a breakpoint on -webView:didFailLoadWithError: and printed the full error:

                  (lldb) po error
                  Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred
                  and a secure connection to the server cannot be made."
                  UserInfo={_kCFStreamErrorCodeKey=-9801,
                  NSLocalizedRecoverySuggestion=Would you like to connect to the
                  server anyway?, NSUnderlyingError=0x610000241c50 {Error
                  Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred
                  and a secure connection to the server cannot be made."
                  UserInfo={NSErrorFailingURLStringKey=https://fyp.ebay.com/
                  EnterUserInfo?&clientapptype=16, NSLocalizedRecoverySuggestion=Would
                  you like to connect to the server anyway?,
                  _kCFNetworkCFStreamSSLErrorOriginalValue=-9801,
                  _kCFStreamPropertySSLClientCertificateState=0,
                  NSLocalizedDescription=An SSL error has occurred and a secure
                  connection to the server cannot be made.,
                  _kCFStreamErrorDomainKey=3,
                  NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
                  clientapptype=16, _kCFStreamErrorCodeKey=-9801}},
                  NSLocalizedDescription=An SSL error has occurred and a secure
                  connection to the server cannot be made.,
                  NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
                  clientapptype=16,
                  NSErrorFailingURLStringKey=https://fyp.ebay.com/EnterUserInfo?&
                  clientapptype=16, _kCFStreamErrorDomainKey=3}
                  

                  Note the failing URL, https://fyp.ebay.com.  So NSAllowsArbitraryLoadsInWebContent is working for the initial URL but failing for this one.

                  Poking at that server with TLSTool I see the following:

                  $ TLSTool s_client -connect fyp.ebay.com:443
                  *  input stream did open
                  * output stream did open
                  * output stream has space
                  * protocol: TLS 1.0
                  * cipher: RSA_WITH_RC4_128_MD5
                  * trust result: unspecified
                  * certificate info:
                  *  0 + rsaEncryption 2048 sha256-with-rsa-signature 'fyp.ebay.com'
                  *  1 + rsaEncryption 2048 sha256-with-rsa-signature 'Symantec Class 3 Secure Server CA - G4'
                  *  2  rsaEncryption 2048 sha1-with-rsa-signature 'VeriSign Class 3 Public Primary Certification Authority - G5'
                  ^C
                  

                  Oi vey!  That cypher suite, RSA_WITH_RC4_128_MD5, is chock full of obsolete and insecure protocols (RC4, MD5, no forward secrecy).

                  My guess as to what’s happening here is that NSAllowsArbitraryLoadsInWebContent has disabled most, but not all, of the ATS checks for UIWebView.  So you can load plain text sites, and sites with other problems (for example, scgi.ebay.com doesn’t support forward secrecy), but either RC4 or MD5 is still tripping it up.  Please file a bug about this, then post your bug number here, just for the record.

                  The obvious workaround would be to continue to use NSAllowsArbitraryLoads until this problem is resolved.

                  You should also contact the site owner: the level of security for that site is way below what I would expect to see on the modern Internet.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                      LaddVanTOl Level 1 Level 1 (0 points)

                      Thanks for the very helpful answer. Bug filed here:

                       

                      rdar://27892687

                       

                      As noted in the bug, WKWebView appears to silently fail in this scenario, while UIWebView errors.

                       

                      Agreed on the security settings -- I will separately pursue getting that fixed.

                        • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                          AlexeyB86 Level 1 Level 1 (0 points)

                          This issue is also critical for our app.

                          How to track it? Cannot find it in Apple's bug tracker.

                            • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                              eskimo Apple Staff Apple Staff (6,665 points)

                              This issue is also critical for our app. How to track it? Cannot find it in Apple's bug tracker.

                              Indeed.  Bug Reporter will only let you see the status of requests that you file.  What you can do here is file your own request and specifically ask for it to be dup’d to 27892687.  You’ll then be able to see the status of that bug (and by “status” I mean the open and closed state, not any of the details).

                              I just took a look at 27892687 myself and it looks like it’s making real progress, although at this point it’s unlikely to catch the iOS 10.1 bus.

                              Share and Enjoy

                              Quinn “The Eskimo!”
                              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                              let myEmail = "eskimo" + "1" + "@apple.com"

                          • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                            nmcc Level 1 Level 1 (0 points)

                            Hey guys,

                             

                            Any update on this @Eskimo? I'm facing the issue with Xcode 8 Beta 6 for most of the requests that are non-ATS compliant.

                             

                            Regards.

                              • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                eskimo Apple Staff Apple Staff (6,665 points)

                                Any update on this @Eskimo?

                                From my perspective I’ve taken this about as far as I can:

                                • AFAICT this is a bug in the implementation of NSAllowsArbitraryLoadsInWebContent.

                                • LaddVanTOl has already filed a bug about it (r. 27,892,687).

                                • The workaround is to stick with NSAllowsArbitraryLoads until ATS Engineering fixes that bug.

                                Share and Enjoy

                                Quinn “The Eskimo!”
                                Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                let myEmail = "eskimo" + "1" + "@apple.com"

                                  • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                    nmcc Level 1 Level 1 (0 points)

                                    Thanks mate. Since beta 7 has been release, I will debug with this new version and hope it has been fixed. Anyway, i'll give feedback as soon as I finish testing so other developers know the current status.

                                     

                                    PS: Bug still not fixed with new Beta 7

                                      • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                        eskimo Apple Staff Apple Staff (6,665 points)

                                        Oh, one more thing here.  The specific cypher suite I mentioned above (RSA_WITH_RC4_128_MD5) should not work at all on iOS 10 because we’ve disabled RC4 entirely (as mentioned in WWDC 2016 Session 706 What’s New in Security).  I suspect what’s going on here is that the server is choosing an RC4-based cypher suite if the client offers it, but choosing some other suite otherwise, and that this other suite is falling afoul of the forward secrecy problem that LaddVanTOl noticed.

                                        Share and Enjoy

                                        Quinn “The Eskimo!”
                                        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                        let myEmail = "eskimo" + "1" + "@apple.com"

                                  • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                    LaddVanTOl Level 1 Level 1 (0 points)

                                    @eskimo:

                                    It appears that the webview in this case is mandating Forward Secrecy by only advertising ECDHE ciphers. This seems overly restrictive, given that NSAllowsArbitraryLoadsInWebContent is turned on.

                                     

                                    WireShark capture from iOS 10 beta 6 device below, with a UIWebView attempting to load fyp.ebay.com.


                                                    Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

                                                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

                                                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

                                                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)

                                                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)

                                                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

                                                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

                                                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

                                                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

                                                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

                                                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

                                                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

                                                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)


                                    My case should work if the additional non-ECDHE ciphers were available:

                                                    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

                                                    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

                                                    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

                                                    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

                                                    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

                                                    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f

                              • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                kumar.pavan Level 1 Level 1 (0 points)

                                How about support for iOS9 UIWebviews?

                                  • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                    eskimo Apple Staff Apple Staff (6,665 points)

                                    How about support for iOS9 UIWebviews?

                                    Check out the App Transport Security pinned post.  In addition to a whole bunch of other info, it has a link to the current pre-release documentation, and that documentation specifically covers ATS, App Review and backwards compatibility.

                                    Share and Enjoy

                                    Quinn “The Eskimo!”
                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                    let myEmail = "eskimo" + "1" + "@apple.com"

                                      • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                        chocoyama Level 1 Level 1 (0 points)

                                        We have some questions about ATS.

                                         

                                        First, is this setting OK in iOS9 and iOS10 to access 'HTTP' contents with 'UIWebview'?

                                        <key>NSAppTransportSecurity</key>
                                        <dict>
                                        <key>NSAllowsArbitraryLoadsInWebContent</key>
                                        <true/>
                                        <key>NSAllowsArbitraryLoads</key>
                                        <true/>
                                        </dict>
                                        

                                         

                                        Second, do we have to justify the setting as this document says?

                                         

                                        https://developer.apple.com/library/prerelease/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW59

                                        > Your use of certain App Transport Security (ATS) keys triggers additional App Store review for your app, and requires you to provide justification. These keys are:

                                        > ・NSAllowsArbitraryLoads

                                        > ・NSExceptionAllowsInsecureHTTPLoads

                                        > ・NSExceptionMinimumTLSVersion


                                        Third, can we continue to use the setting in future ( 2017~ ) ?

                                         

                                        thanks.

                                          • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                            eskimo Apple Staff Apple Staff (6,665 points)

                                            First, is this setting OK in iOS9 and iOS10 to access 'HTTP' contents with 'UIWebview'?

                                            That depends on what you mean by “OK”:

                                            • If you’re asking whether it will work, I expect so but the reality is that you should test it.

                                            • If you’re asking whether it will pass App Review, that’s not something I can give a definitive answer to.  I don’t work for App Review and can’t speak on their behalf.

                                            Second, do we have to justify the setting as this document says?

                                            Again, you’re asking about App Review policy, which isn’t something I can speak to.  However, I should point out that the pre-release doc you linked to covers the backward compatibility issue (in the NSAllowsArbitraryLoadsInWebContent row in Table 2).

                                            Third, can we continue to use the setting in future ( 2017~ ) ?

                                            I can’t talk about the future beyond what we’ve actually announced.

                                            Share and Enjoy

                                            Quinn “The Eskimo!”
                                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                            let myEmail = "eskimo" + "1" + "@apple.com"

                                              • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                                chocoyama Level 1 Level 1 (0 points)

                                                Thank you for the reply.

                                                 

                                                We verified NSAllowsArbitraryLoadInWebContent setting behavior.

                                                Now we can load "http" content in UIWebView with NSAllowsArbitraryLoadInWebContent setting.

                                                But in this setting, if we use NSURLSession, cannot load http resources.

                                                So, please let me ask two additional question .

                                                 

                                                1

                                                Does this specification will continue in the future?

                                                 

                                                2

                                                If we use NSURLSeesion with NSAllowsArbitraryLoadsInWebContent setting after 2017, must we use NSURLSession "https" resources only?

                                                 

                                                thanks.

                                                  • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                                    eskimo Apple Staff Apple Staff (6,665 points)

                                                    But in this setting, if we use NSURLSession, cannot load http resources.

                                                    Indeed.

                                                    1 Does this specification will continue in the future?

                                                    I would expect so.  NSAllowsArbitraryLoadsInWebContent was specifically designed to allow arbitrary loads in a web view only.  It does not affect loads via NSURLSession.  If you want to allow arbitrary loads in NSURLSession, set NSAllowsArbitraryLoads.

                                                    2 If we use NSURLSeesion with NSAllowsArbitraryLoadsInWebContent setting after 2017, must we use NSURLSession "https" resources only?

                                                    No.  You can use NSAllowsArbitraryLoads as I mentioned above, with the caveat that you must justify that use to App Review.  My App Transport Security pinned post has more on this, including a link to the documentation that specifically addresses the App Review side of things.

                                                    Personally, if I were in your shoes I’d simply switch to ATS-compatible HTTPS.  It’s best for your users and avoids any App Review entanglements.

                                                    Share and Enjoy

                                                    Quinn “The Eskimo!”
                                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                    let myEmail = "eskimo" + "1" + "@apple.com"

                                                      • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                                        alexie.ursache Level 1 Level 1 (0 points)

                                                        Hi Eskimo,

                                                        Thanks for all the info you've posted here but I also have a problem which I tried to solve since the first Xcode 8 beta release.

                                                         

                                                        We have an app that's using a WebView for SSO and it's not fully ATS compatible as follows:

                                                        TLSTool s_client -connect sampledomain.com:443

                                                        returns:

                                                        * protocol: TLS 1.0

                                                        * cipher: RSA_WITH_3DES_EDE_CBC_SHA

                                                         

                                                        I tried unsuccessfully to use NSAllowsArbitraryLoadsInWebContent and based on the LaddVanTOl comment it looks like the RSA_WITH_3DES_EDE_CBC_SHA is not in the list of ciphers supporting FS nor accepted as part of NSExceptionRequiresForwardSecrecy

                                                        A workaround is to use a NSExceptionDomains:

                                                              <key>sampledomain.com</key>
                                                              <dict>
                                                                  <key>NSExceptionRequiresForwardSecrecy</key>
                                                                  <false/>
                                                                <key>NSTemporaryExceptionMinimumTLSVersion</key>
                                                                  <string>TLSv1.0</string>
                                                              </dict>
                                                        

                                                         

                                                        but I was wondering if the NSAllowsArbitraryLoadsInWebContent fix will allow all ciphers not suporting FS
                                                        as well as TLSv1.0?
                                                        We've also used WKWebView and the error was the same as in WebView.

                                                        _kCFStreamErrorDomainKey:3

                                                        _kCFStreamErrorCodeKey:-9824

                                                        NSLocalizedDescription:An SSL error has occurred and a secure connection to the server cannot be made

                                                         

                                                        Thanks for your time.

                                                          • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                                            eskimo Apple Staff Apple Staff (6,665 points)

                                                            In speaking with the ATS team it’s clear that they intend NSAllowsArbitraryLoadsInWebContent to allow arbitrary loads, that is, it should completely disable ATS for all resources loaded by the web view, including resources loaded indirectly (for example, resources loaded by the media subsystem as part of movie playback within the web view).  I can’t guarantee that it works in all possible cases, but if it doesn’t then that’s bugworthy.

                                                            With regards your specific case I expect NSAllowsArbitraryLoadsInWebContent to encompass both the forward secrecy and TLS version exceptions.  If that’s not working then it’s something I’d like to look at in more depth.

                                                            Is the server you’re talking to on the wider Internet?  If so, can you post the URL?  If not, you should open a DTS tech support incident and we can take this offline.

                                                            Share and Enjoy

                                                            Quinn “The Eskimo!”
                                                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                            let myEmail = "eskimo" + "1" + "@apple.com"

                                                              • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                                                saranya_siva Level 1 Level 1 (0 points)

                                                                Hi Eskimo,

                                                                 

                                                                  We have web-browser kind of iOS application. WKWebview is used for building the browser. App Transport Security specification looks like below

                                                                 

                                                                <key>NSAppTransportSecurity</key>

                                                                  <dict>

                                                                  <key>NSAllowsArbitraryLoads</key>

                                                                  <true/>

                                                                  <key>NSAllowsArbitraryLoadsInWebContent</key>

                                                                  <true/>

                                                                ...

                                                                </dict>

                                                                 

                                                                But I am facing issues with many websites in iOS 10. Eg. https://search.norton.com. I just verified using nscurl and found that Perfect Forward Secrecy is not enabled for this website.



                                                                Is NSAllowsArbitraryLoadsInWebContent expected to behave this way ? Not loading sites which does not support forward secrecy.

                                                                What is the best approach in ATS for application with web browser which needs load almost all the URLs? 

                                                                 

                                                                 

                                                                Thanks in advance

                                                                Saranya Sivanandham

                                                                  • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                                                    eskimo Apple Staff Apple Staff (6,665 points)

                                                                    Is NSAllowsArbitraryLoadsInWebContent expected to behave this way?

                                                                    I thought I was pretty clear about this in my post on 22 Sep.  To recap:

                                                                    • NSAllowsArbitraryLoadsInWebContent should allow arbitrary loads in a web view.

                                                                    • If that’s not working for some specific sites, you should file a bug about it.

                                                                    A number of developers have already filed bugs like this and ATS Engineering is actively working to fix them.  AFAIK none of those fixes went into 10.1 but you should definitely re-test on any post-10.1 seeds that we might make in the future.

                                                                    The only workaround to such problems right now is to eschew NSAllowsArbitraryLoadsInWebContent and stick with NSAllowsArbitraryLoads.

                                                                    Share and Enjoy

                                                                    Quinn “The Eskimo!”
                                                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                                    let myEmail = "eskimo" + "1" + "@apple.com"

                                                  • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                                    eskimo Apple Staff Apple Staff (6,665 points)

                                                    I just took a look at 27892687 myself and it looks like it’s making real progress, although at this point it’s unlikely to catch the iOS 10.1 bus.

                                                    27892687 is reported as fixed in the current 10.2 beta seed (14C5062e).  If you were previously having problems with NSAllowsArbitraryLoadsInWebContent, please try again on that seed and, if you still see problems, please file a bug and post the bug number here.

                                                    Share and Enjoy

                                                    Quinn “The Eskimo!”
                                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                    let myEmail = "eskimo" + "1" + "@apple.com"

                                                    • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                                      chris.hoff Level 1 Level 1 (0 points)

                                                      Same here, filed bug 30233586

                                                        • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                                          dloic Level 1 Level 1 (0 points)

                                                          Hi,

                                                           

                                                          We're having a similiar issue on iOS 10.0 or 10.2 with a website loaded with HTTPS in WKWebview. Surprinsingly, removing the key NSAllowsArbitraryLoadsInWebContent and keeping only NSAllowsArbitraryLoads does not solve the issue.

                                                           

                                                          Loading the same URL in Safari is working fine.

                                                           

                                                          We did filed a bug too: 30239888

                                                           

                                                          Thanks.

                                                            • Re: NSAllowsArbitraryLoadsInWebContent in UIWebView
                                                              eskimo Apple Staff Apple Staff (6,665 points)

                                                              chris.hoff wrote:

                                                              Same here, filed bug 30233586

                                                              Please test this with the latest iOS 10.3 beta; AFAICT it works there.

                                                              btw NSAllowsArbitraryLoadsInWebContent was fixed to allow servers that don’t support forward secrecy in 10.2.  The problem you’re having is that your server only supports TLS 1.0.  That’s something you really need to fix on the server side; TLS 1.0 is very worrisome security-wise.


                                                              dloic wrote:

                                                              We did filed a bug too: 30239888

                                                              On 10.2 I see the same failure as you do.  On the latest 10.3 beta I don’t see that failure, but the page still doesn’t load, even when I remove NSAllowsArbitraryLoadsInWebContent and set NSAllowsArbitraryLoads.  I believe there are bigger problems afoot here.

                                                              Also, your server has secure and pay in the name, but uses 3DES; that’s quite worrisome as well.

                                                              Share and Enjoy

                                                              Quinn “The Eskimo!”
                                                              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                              let myEmail = "eskimo" + "1" + "@apple.com"