NSAppTransportSecurity: Not working with correct settings

Question

As many developers out there I get some data from a webserver via http. Since XCOde7/iOS9 I need to mark the used domains as an exception in my apps plist. This worked out for all of my domains except one.

Important: It is no solution for me to accept all domains with NSAllowsArbitraryLoads. First I tried the following entries in the plist:

<key>cc.mydomain.de</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>

This configuration worked for all the other domains but not for this one so I added the following entries to the plist:

<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
     <false/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
     <true/>
<key>NSExceptionRequiresForwardSecrecy</key>
    <false/>

But I still got an error when trying to access the domain.

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file

If these exception entries dont work then what is working? What is the minimum configuration for an exception like that. Which entry am I missing?

Answer 1

I contacted Apple Developer support for this issue and they told me the problem is that one of my urls redirects to another url which of course has to be listed as an exception in my plist, too. You can easily determine the redirection with the url session delegate method for redirection:

self.session = NSURLSession(configuration: NSURLSessionConfiguration.defaultSessionConfiguration(), delegate: self, delegateQueue: NSOperationQueue.mainQueue())

let url = NSURL(string: "yoururl")!

self.session.dataTaskWithURL(url) { (data, response, error) in
    if let error = error {
        NSLog("error %@ / %d", error.domain, error.code)
    } else if let response = response as? NSHTTPURLResponse {
        NSLog("response %d", response.statusCode)
    } else {
        fatalError()
    }
}.resume()

func URLSession(session: NSURLSession, task: NSURLSessionTask, willPerformHTTPRedirection response: NSHTTPURLResponse, newRequest request: NSURLRequest, completionHandler: (NSURLRequest?) -> Void) {
        NSLog("direct to %@", request.URL!)
        completionHandler(request)
}

Swift 3 version:

class ViewController: UIViewController, URLSessionTaskDelegate {

    var session: URLSession! = nil

    override func viewDidLoad() {
         super.viewDidLoad()

         self.session = URLSession(configuration: URLSessionConfiguration.default, delegate: self, delegateQueue: OperationQueue.main)

         let url = NSURL(string: "yoururl")!

         self.session.dataTask(with: url as URL) { (data, response, error) in
             if let error = error {
                 NSLog("error %@ / %d", (error as NSError).domain, (error as NSError).code)
             } else if let response = response as? HTTPURLResponse {
                 NSLog("response %d", response.statusCode)
             } else {
                 fatalError()
             }
             }.resume()
     }

     func urlSession(_ session: URLSession, task: URLSessionTask, willPerformHTTPRedirection response: HTTPURLResponse, newRequest request: URLRequest, completionHandler: @escaping (URLRequest?) -> Void) {
         print("direct to %@", request.url!)
         completionHandler(request)
     }
}

Answer 2

I added App Transport Security Settings but the error was still appearing in the console.

My app was showing this error when I ran a web url in UIWebView. If your page has some inner url/frame which is added to your info.plist as Exception Domains then the error will appear in console.

In my case I was calling a webpage in a UIWebView and this page was having a facebook plugin. This web page was loading properly but was showing this error also in the console. When I thoroughly checked I found that in my app I used Facebook login and for this Facebook tutorial instructed me to add facebook.com as Exception Domains in the info.plist.

When I removed this Exception Domains, the error was gone.

Answer 3

Try this:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <!-- .......................... -->
    <!-- Other keys already present -->
    <!-- .......................... -->

    <key>NSAppTransportSecurity</key>
    <dict>

        <key>NSExceptionDomains</key>
        <dict> 

            <key>mydomain.de</key>
            <dict>
                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                <true/>
                <key>NSIncludesSubdomains</key>
                <true/>
            </dict>

        </dict>
    </dict>

</dict>
</plist>

Answer 4

To access the resource from http:// , you need to add the following lines in info.plist file

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>