I have a WKWebView which will display users' webpages using links gathered online.
Sometimes these links are http: which are blocked by ATS.
I've tried simply changing the links to https:, which works sometimes.
However, very often I get an error "An SSL error has occurred and a secure connection to the server cannot be made".
Sometimes the page simply redirects to the http:, which gets blocked again.
Other times the https: page is simply "Not found".
Removing http: only results in "Unsupported URL" error.
Is there any way to get WKWebView to show these pages?
PLEASE DON"T suggest NSAllowsArbitraryLoads, or even per-domain exceptions (I do not know in advance what the domains will be).
The pages load perfectly on Safari, and even mobile safari, so it must be possible.
So, the short answer is NSAllowsArbitraryLoadsInWebContent, which will work great in iOS 10. However, if you try to run with that in your Info.plist on an iOS 9 device, it won't work.
If you want this to work on both iOS 9 and iOS 10, what Apple is recommending that you do is to put both NSAllowsArbitraryLoads AND NSAllowsArbitraryLoadsInWebContent in your Info.plist.
In iOS 9, since it doesn't recognize the NSAllowsArbitraryLoadsInWebContent entry, it will allow all http content in the app (including your WKWebview). This isn't ideal, but as long as you are ensuring your critical connections elsewhere are secure, having Apple enforce it really doesn't do much.
In iOS 10 (which most of your users should be running) iOS will ignore the NSAllowsArbitraryLoads if it also sees NSAllowsArbitraryLoadsInWebContent. This means the rest of your app network communications will need to follow ATS's security requirements, while the WKWebView and UIWebView does not. This isn't a great solution, but it is the one recommended by Apple engineers when you need to support both iOS 9 and 10.
Note that when Apple does start to require justifications for ATS exceptions, the NSAllowsArbitraryLoadsInWebContent entry is one of the ones that will trigger the need to justification. But, it is better than having NSAllowsArbitraryLoads by itself, and you can put that in your justification and it should be accepted by Apple.
As posted in this article, add a top level property NSAppTransportSecurity in info.plist, then if the iOS version is 10 and above, add a boolean entry for NSAllowsArbitraryLoadsInWebContent in this dictionary, otherwise NSAllowsArbitraryLoads, such that the plist entry looks like
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoadsInWebContent</key>
<true/>
</dict>
Related
I have an issue to make an investigation using my iOS app (iOS 9.3.3). I need to connect to a site which uses self-signed certificate. That site redirects me to an address with http. I see several solutions, but neither of them is working.
First I try to disable the https check using NSAppTransportSecurity but I still get -9813. I add domain as exception using NSExceptionDomains but still continue to receive that error.
If your site runs on Http// then you have to add an App Transport Security Settings
Under that Allow Arbitrary Loads to YES.
If Your site runs on Https// then there no need to add any Key to your info.plist file.
Hope This will help you . If not let me know.
So I'm trying to add a custom URL scheme to my app. Everything works. The confusing part is that when a user gets redirected it puts up a dialog box that says:
Open in "(null)"?
I can't figure out why it says null and not the name of the app. The only other spot I've been able to see this issue mentioned is here:
'Open this page in "null"' Modal appearing from FacebookSDK login after iOS9 and Swift 2 upgrade
but that talks about updating to the latest SDK. It does mention whitelisting the scheme which I tried doing using LSApplicationQueriesSchemes but that doesn't seem to fix it either.
So in my case it ended up being that the following had gotten added to my Info.plist:
<key>CFBundleDisplayName</key>
<string></string>
Either removing this key or giving it a non empty string value fixes the issue and causes it to give: Open in "name of app"?.
The value in that dialog is specified in Build Settings -> Packaging -> Product Name. By any chance, is that field somehow blank? Usually the build should fail if so, and presumably you'd have also noted something wrong on the homescreen, but who knows!
As a side note, URL schemes are not a fool-proof way to handle deep linking anymore, and are actually actively discouraged by Apple. At minimum, you also need to implement Universal Links, but even that is not a complete solution because of variations in how other apps (Facebook, etc) handle outbound links. You may want to consider a tool like Branch.io (full disclosure: I'm on the Branch team) to give a hand with all the logistics.
I found this about whitelisting urlschemes for iOS 9 (found answer here)
Any app built with SDK 9 needs to provide a LSApplicationQueriesSchemes entry in its plist file, declaring which schemes it attempts to query.
<key>LSApplicationQueriesSchemes</key>
<array>
<string>urlscheme</string>
<string>urlscheme2</string>
<string>urlscheme3</string>
<string>urlscheme4</string>
</array>
This worked for me in getting rid of that.
I have a Cordova Angularjs app that is getting some JSON from my server. It works on iOS 8, but when I "upgraded" to iOS 9 I am now getting nothing from my server. The server has not been changed, and I can see the JSON response if I navigate to my url.
I narowed it down a little to my $http.jsonp() method. It is giving me a 404 error when trying to retrieve the JSON. The same exact code works fine and gets the JSON on an iOS 8 device.
Anyone else having an issue with this and iOS 9 and have figured any more out? It definitely seems like an Apple related issue...
Add this to your info.plist file.
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
From this page
App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.
If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file.
This has been turned on by default in iOS9. They suggest developing using https whenever possible. To get around that you would need the previous code in this answer.
I've been experiencing weird behaviour on iOS9 when trying to load in-app HTML pages into our UIWebView - sometimes the pages load, sometimes just appearing as a blank screen.
The webViewDidFinishLoad function gets called in these instances as well (but no didFailLoadWithError). I can't seem to find any clues as to what would be making the page not visible some of the time. A lot of the other questions I found here suggest issues with the path, but I would think it'd be consistantly failing if that was the case.
The same code works fine on iOS 8.
add into info.plist file
NSAppTransportSecurity
NSAllowsArbitraryLoads
As #vmthiru said, you need to add that to the Info.plist file. Although the exact format would be:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key><true/>
</dict>
Meaning that if you do it via the XCode UI, you would need to add the NSAppTransportSecurity key (with Dictionary type), and inside of it, add a boolean with key NSAppTransportSecurity and set it to YES.
That said, you will probably notice that there are some viewport bugs in iOS 9 still, but that has nothing to do with this.
Hope it helps
I'm developing an app using phonegap/cordova (1.7.0), I can't figure out how to make my application work with a less restrictive option than *. If I try setting www.mywebservicedomain.com or *.mywebservicedomain.com it can't retrieve data anymore. I see many questions about this and the general answer is to just set *. I'd like to understand how to be more restrictive, if it is possible.
Thank you in advance for your efforts.
That is indeed possible. But be aware that redirects on the servers may lead to connections to different domains which you also have to specifiy. Luckily those restricted accesses appear in the debug log in xcode. Run the project on the simulator or the device from within xcode and then you will see which requests to which servers got blocked.
In the cordova.plist it should look like this:
<key>ExternalHosts</key>
<array>
<string>*.googleapis.com</string>
<string>*.gstatic.com</string>
</array>
I use Google maps in my project which uses the described redirect. Thus I had to add the gstatic although my requests point to maps.googleapis.com originally (I use cordova 1.7).