ios - 如何在 iOS 9 中加载启用了 App Transport Security 的 HTTP URL？

Question

这个问题在这里已经有了答案:





Transport security has blocked a cleartext HTTP

(29 个回答)


6年前关闭。




所以，昨晚发布的 iOS 新的 beta SDK 有“App Transport Security”，它鼓励开发者使用 https 而不是 http。原则上，这是一个好主意，我已经在我们的暂存/生产环境中使用了 https。但是，当 iOS 应用程序连接到我在笔记本电脑上运行的 Web 服务时，我没有在本地开发环境中设置 https。

从今天早上玩了一下，似乎 URL 加载系统会，即使你给它一个 http URL，也会决定使用 https。有谁知道如何禁用这种行为——即使只是针对特定的 URL？

Answer 1

请参阅 Apple 的 Info.plist reference完整的细节(感谢@gnasher729)。

您可以在 Info.plist 中为特定域添加异常(exception):

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>testdomain.com</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
            <false/>
            <key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
            <true/>
            <key>NSThirdPartyExceptionMinimumTLSVersion</key>
            <string>TLSv1.2</string>
            <key>NSRequiresCertificateTransparency</key>
            <false/>
        </dict>
    </dict>
</dict>

每个异常(exception)域的所有键都是可选的。演讲者没有详细说明任何键，但我认为它们都相当明显。

(来源:WWDC 2015 session 703, “Privacy and Your App”，30:18)

如果您的应用有充分的理由这样做，您还可以使用单个 key 忽略所有应用传输安全限制:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

如果您的应用没有充分的理由，您可能会面临被拒绝的风险:

Setting NSAllowsArbitraryLoads to true will allow it to work, but Apple was very clear in that they intend to reject apps who use this flag without a specific reason. The main reason to use NSAllowsArbitraryLoads I can think of would be user created content (link sharing, custom web browser, etc). And in this case, Apple still expects you to include exceptions that enforce the ATS for the URLs you are in control of.

If you do need access to specific URLs that are not served over TLS 1.2, you need to write specific exceptions for those domains, not use NSAllowsArbitraryLoads set to yes. You can find more info in the NSURLSesssion WWDC session.

Please be careful in sharing the NSAllowsArbitraryLoads solution. It is not the recommended fix from Apple.

— kcharwood (感谢@marco-tolman)