UserGuide

App Transport Security

From Xojo Documentation

Revision as of 14:33, 12 December 2018 by PLefebvre (talk | contribs) (Created page with "Starting with iOS 9 and OS X 10.11, your apps have to use secure "https" connections or you will get this error: "The resource could not be loaded because the App Transport Se...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Starting with iOS 9 and OS X 10.11, your apps have to use secure "https" connections or you will get this error: "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection".

This applies to any control that works with HTTP, including: URLConnection, Xojo.Net.HTTPSocket, HTTPSocket, HTTPSecureSocket, HTMLViewer, and iOSHTMLViewer.

To continue to connect to non-secure "http" connections that you do not control you'll have to provide a plist with a temporary exception specified for each site you are accessing via http:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>NSAppTransportSecurity</key>
	<dict>
		<key>NSExceptionDomains</key>
		<dict>
			<key>firstsite.com</key>
			<dict>
				<key>NSIncludesSubdomains</key>
				<true/>
				<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
				<true/>
			</dict>
			<key>secondsite.com</key>
			<dict>
				<key>NSIncludesSubdomains</key>
				<true/>
				<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
				<true/>
			</dict>
		</dict>
	</dict>
</dict>
</plist>

If you don't know the specific sites, you can request access to everything using a single key:

<key>NSAppTransportSecurity</key>
<dict>
  <!-- Include to allow all connections; avoid if possible -->
  <key>NSAllowsArbitraryLoads</key>
      <true/>
</dict>

Apple may reject an App Store submission if the app uses these settings without valid reasons.

For more information about this, refer to NSAppTransportSecurity in Apple's docs.