• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: ATS fails for one subdomain, succeeds for another
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ATS fails for one subdomain, succeeds for another

  • Subject: Re: ATS fails for one subdomain, succeeds for another
  • From: Tom Pusateri <email@hidden>
  • Date: Mon, 4 Dec 2017 16:19:21 -0500
> On Dec 4, 2017, at 4:11 PM, Tom Pusateri <email@hidden> wrote:
>
>>
>> On Dec 4, 2017, at 3:44 PM, Daniel Jalkut <email@hidden
>> <mailto:email@hidden>> wrote:
>>
>> I’ve proactively configured ATS in my app so that domains I expect to always
>> support HTTPS are required to use it. One of the domains I’ve configured in
>> this way is “wordpress.com <http://wordpress.com/>”.
>>
>> I’m seeing a puzzling behavior in which an NSURLSession data task fails with
>> -1022 (NSURLErrorAppTransportSecurityRequiresSecureConnection) when I try to
>> load:
>>
>> http://sweatershots.wordpress.com/ <http://sweatershots.wordpress.com/>
>>
>> But succeeds when I try to load:
>>
>> http://sweatertest.wordpress.com/
>>
>> I can’t make any sense of it. The only thing to note about the failing URL
>> are that it was a new subdomain just registered at WordPress.com today. The
>> succeeding one is a URL that I have worked with from this app for a long
>> time.
>>
>> Does the ATS system provide some kind of courtesy grandfathering for
>> specific subdomains? What else would explain this?
>>
>> By the way, I am setting a cache policy to ignore local cache, so I don’t
>> think it’s anything like that.
>>
>> Daniel
>
> There is an exception list for ATS in the Info.plist. Would
> sweatertest.wordpress.com <http://sweatertest.wordpress.com/> be listed there?
>
> Unless an http URL is in the exception list, it will always fail. (See
> NSExceptionDomains)
>
> https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33
>
> <https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33>
>
> Tom
>

The docs don’t match my recollection of how this worked but I did use this for
while with success to allow http to these two sites and require https otherwise:

        <key>NSAppTransportSecurity</key>
        <dict>
                <key>NSExceptionDomains</key>
                <dict>
                        <key>dnsalias.net</key>
                        <dict>
                                <key>NSIncludesSubdomains</key>
                                <true/>

<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                                <true/>
                        </dict>
                        <key>meetecho.com</key>
                        <dict>
                                <key>NSIncludesSubdomains</key>
                                <true/>

<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                                <true/>
                        </dict>
                </dict>
        </dict>

Tom



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Re: ATS fails for one subdomain, succeeds for another (From: Tom Pusateri <email@hidden>)

  • Prev by Date: Re: ATS fails for one subdomain, succeeds for another
  • Next by Date: Re: ATS fails for one subdomain, succeeds for another
  • Previous by thread: Re: ATS fails for one subdomain, succeeds for another
  • Next by thread: Re: ATS fails for one subdomain, succeeds for another
  • Index(es):
    • Date
    • Thread