Re: ATS fails for one subdomain, succeeds for another

4 Dec 2017

      site_archiver@lists.apple.com
Delivered-To: macnetworkprog@lists.apple.com
...
On Dec 4, 2017, at 4:11 PM, Tom Pusateri <pusateri@bangj.com> wrote:
...
On Dec 4, 2017, at 3:44 PM, Daniel Jalkut <jalkut@red-sweater.com
<mailto:jalkut@red-sweater.com>> wrote:
I’ve proactively configured ATS in my app so that domains I expect to always
support HTTPS are required to use it. One of the domains I’ve configured in
this way is “wordpress.com <http://wordpress.com/>”.
I’m seeing a puzzling behavior in which an NSURLSession data task fails with
-1022 (NSURLErrorAppTransportSecurityRequiresSecureConnection) when I try to
load:
http://sweatershots.wordpress.com/ <http://sweatershots.wordpress.com/>
But succeeds when I try to load:
http://sweatertest.wordpress.com/
I can’t make any sense of it. The only thing to note about the failing URL
are that it was a new subdomain just registered at WordPress.com today. The
succeeding one is a URL that I have worked with from this app for a long
time.
Does the ATS system provide some kind of courtesy grandfathering for
specific subdomains? What else would explain this?
By the way, I am setting a cache policy to ignore local cache, so I don’t
think it’s anything like that.
Daniel
There is an exception list for ATS in the Info.plist. Would
sweatertest.wordpress.com <http://sweatertest.wordpress.com/> be listed there?
Unless an http URL is in the exception list, it will always fail. (See
NSExceptionDomains)
https://developer.apple.com/library/content/documentation/General/Reference/...
<https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33>
Tom
The docs don’t match my recollection of how this worked but I did use this for
while with success to allow http to these two sites and require https otherwise:

        <key>NSAppTransportSecurity</key>
        <dict>
                <key>NSExceptionDomains</key>
                <dict>
                        <key>dnsalias.net</key>
                        <dict>
                                <key>NSIncludesSubdomains</key>
                                <true/>

<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                                <true/>
                        </dict>
                        <key>meetecho.com</key>
                        <dict>
                                <key>NSIncludesSubdomains</key>
                                <true/>

<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                                <true/>
                        </dict>
                </dict>
        </dict>

Tom

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (Macnetworkprog@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macnetworkprog/site_archiver%40lists...

This email sent to site_archiver@lists.apple.com

Tom Pusateri

tags

participants (1)