Implications of disabling ATS?
Implications of disabling ATS?
- Subject: Implications of disabling ATS?
- From: Alex Hall <email@hidden>
- Date: Wed, 30 Sep 2015 10:06:33 -0400
I was all excited, because--thanks to your answers re WebView--I had a system in place to load the contents of the first URL in the selected tweet. Then my log showed me "transport security has blocked…" and nothing worked.
I've since discovered that ATS is new in iOS9/OSX10.11 and is meant to force you into use HTTPS. Given that I'm just loading whatever URLs happen to be in the selected tweet, the vast majority will not be HTTPS and will thus be blocked. I can't add trusted domains, if I understand that feature correctly, because I have no way of knowing what domains users might load. My only option, it seems, is to disable the whole thing by using:
<key>NSAppTransportSecurity</key>
<dict>
<!--Include to allow all connections (DANGER)-->
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
(found at http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/)
However, before I go doing that, does anyone know of a better way? Are there security implications I'm overlooking? I don't know what users will do with this web view, and yes, some may log into sites or give other sensitive data. The primary use case is to look at articles, videos, etc that are tweeted, though, and to do that I can't have ATS blocking everything. I'm not sure what the best course is here. Thanks.
--
Have a great day,
Alex Hall
email@hidden
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden