From Xojo Documentation
New in 2018r4
Used to send and receive data using the HTTP 1.1+ protocol.
Usage on Linux requires libsoup 2.4.
URLConnection handles both standard "http" connections and secure "https" connections.
macOS Information (App Transport Security)
Starting with OS X 10.11, you have to use secure "https" connections or you will get this error: "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection". To continue to connect to non-secure "http" connections that you do not control you'll have to provide a plist with a temporary exception specified for each site you are accessing via http:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>firstsite.com</key> <dict> <key>NSIncludesSubdomains</key> <true/> <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key> <true/> </dict> <key>secondsite.com</key> <dict> <key>NSIncludesSubdomains</key> <true/> <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key> <true/> </dict> </dict> </dict> </dict> </plist>
If you don't know the specific sites, you can request access to everything using a single key:
<key>NSAppTransportSecurity</key> <dict> <!-- Include to allow all connections; avoid if possible --> <key>NSAllowsArbitraryLoads</key> <true/> </dict>
Apple may reject an App Store submission if the app uses these settings without valid reasons.
For more information about this, refer to NSAppTransportSecurity in Apple's docs.
To test a site to see what plist exceptions it might need you can use this Terminal command:
/usr/bin/nscurl --ats-diagnostics --verbose https://example.com
These sample projects are included with Xojo: