Does SFSafariViewController require NSAppTransportSecurity specs?

My current company is hesitant about replacing a piece of code that opens a user-specified URL in Safari with SFSafariViewController. The concern is that our app will need to be more lenient with ATS. My understanding is that any URL that opens with Safari will open in a SFSafariViewController with no change to the app ATS specs.


That said, I cannot find anything definitive from Apple - a StackOverFlow answer strongly suggests that the above statement is true - but we all know how unreliable SO can be ...


Any pointers most appreciated!


David

Replies

Digging around I found an Apple page on NSAllowsArbitraryLoadsInWebContent, which says in part:

Set this key’s value to YES to exempt your app’s web views from App Transport Security restrictions 
without affecting your URLSession connections. Domains you specify in the NSExceptionDomains dictionary 
aren’t affected by this key’s value.

A web view is an instance of any of the following classes:
WKWebView
UIWebView (iOS only)
WebView (macOS only)

Note that SFSafariViewController isn't mentioned - surely this is because its already exempt.

I can confirm that in one of our apps we don't have any of the ATS keys set in the Info.plist, and we are able to load arbitrary unsecure (http) URLs in SFSafariViewController.