WKWebView requires com.apple.security.network.client for local content

I'm trying to load a local file to WKWebView and it fails unless I have the com.apple.security.network.client entitlement. Since QuickLook doesn't work either without this entitlement (https://forums.developer.apple.com/thread/115821) is there any way at all to show an HTML file in a sandboxed app that doesn't do outgoing connections?


Here is some sample code to showcase this problem:


import Cocoa
import WebKit

class ViewController: NSViewController {
    var webView: WKWebView!

    override func viewDidLoad() {
        super.viewDidLoad()
        self.webView = WKWebView(frame: self.view.frame, configuration: .init())
        self.view.addSubview(self.webView)
        self.webView.loadHTMLString("hello", baseURL: nil)
    }
}
Up vote post of nkeets Down vote post of nkeets
5.8k views
Posted by
nkeets
Reply
Add a Comment

Accepted Reply

Not if you are using WKWebView. It uses an out-of-process view for security. That means it requires the entitlement. You could use the old web view if you want. Technically it is deprecated, but it still works fine. The old web view is even required for print support.

Posted by
john daniel
Up vote reply of john daniel Down vote reply of john daniel
Post marked as solved
Add a Comment

Replies

Not if you are using WKWebView. It uses an out-of-process view for security. That means it requires the entitlement. You could use the old web view if you want. Technically it is deprecated, but it still works fine. The old web view is even required for print support.

Posted by
john daniel
Up vote reply of john daniel Down vote reply of john daniel
Post marked as solved
Add a Comment

I see this is related to your older Quicklook question. I'm not sure how Quicklook is involved with this. You are doing something funky with Quicklook too, aren't you? It isn't just a standard preview generator.


There is no problem with including this entitlement. There is an excellent chance your app will be rejected without an obvious networking component. Make sure to explain why you need this entitlement. You'll still probably get rejected. But in these cases, responding directly to App Review and explaining the issue (maybe referencing that other discussion) should eventually get an approval. Don't waste time going to appeal. I've never heard of a successful, or even remotely timely, appeal. But if you are ever doing something funky and need an explanation, it might take a couple of rejections before they realize what you are doing. Just be patient.

Posted by
john daniel
Up vote reply of john daniel Down vote reply of john daniel
Add a Comment

Thanks, using the deprecated WebView works!


I'm not willing to add com.apple.security.network.client to my app, as I view my entitlements as my contract to the user. With all the intrusive tracking and analytics going around I want to be able to prove, instead of promise, that my app doesn't do any network requests. And I wouldn't describe wanted to display a single static HTML file as "funky".


So, let me reformulate my question as a challenge:


Is there a non-deprecated way to display a static HTML file on a sandboxed macOS app without the com.apple.security.network.client entitlement? Any method will do.

Posted by
nkeets
Up vote reply of nkeets Down vote reply of nkeets
Add a Comment

I wouldn't beat yourself up too much about a "contract with the user". I can pretty much guarantee they aren't reading the contract. There is a big difference between what people say they would do with regards to privacy and security and what they really do. (See www.nytimes.com/2019/04/30/opinion/police-phone-privacy.html - link corrupted to avoid moderation). The com.apple.security.network.client is about as benign as it gets. And speaking of said contract, where are your users supposed to find it before they download from the Mac App Store? Is the contract really with users or is it with Apple? And does Apple care about this entitlement?


The "funkiness" I was referring to was your use of QuickLook. If you just want to do a QuickLook generator, that's fine. It doesn't need any entitlements because it will be running under a system context. Otherwise, I'm not sure what is going on with Quicklook and your app.


How "HTML" is this HTML file? If it can be rendered a plain old rich text, you can just convert it and display it as an attributed string. There could be some 3rd party HTML rendering library you could add to your app. That seems like a huge price to pay for an unread contract.


I am not able to verify if I can display a plain WKWebView without the network client entitlement. I tried to hack up my app to do that but all I managed to do was corrupt my project. Xcode likes to randomly delete schemes and when that happens, they cannot be recovered by means. I guess they are stored in the user Xcode files that change with every mouse event, making them ineligible for version control.


But in any case, Apple doesn't care if you use the com.apple.security.network.client. No one other than Apple will ever know if you use that entitlement. Yeah, you could use that harvest user data and upload it to your servers. But you would have to have a really popular app and do that for a couple of years before anyone, including Apple, would notice. Essentialy, you are just wasting your time. If you need to display an HTML file, and you need this entitlement to make the system frameworks do that, the matter is resolved. Add the entitlement and move on with your life.

Posted by
john daniel
Up vote reply of john daniel Down vote reply of john daniel
Add a Comment

Shah

Posted by
Uchi69
Up vote reply of Uchi69 Down vote reply of Uchi69
Add a Comment