如何在iOS 9中启用App Transport Security加载HTTP URL? [英] How do I load an HTTP URL with App Transport Security enabled in iOS 9?
问题描述
因此,昨晚发布的iOS新测试版SDK具有App Transport Security,鼓励开发人员使用https而不是http。原则上,这是一个好主意,我已经在我们的临时/生产环境中使用https。但是,我的本地开发环境中没有设置https,当iOS应用程序连接到我在笔记本电脑上运行的Web服务时。
So, the new beta SDK of iOS released last night has "App Transport Security" which encourages developers to use https instead of http. In principle, this is a great idea, and I already use https in our staging/production environments. However, I don't have https set up in my local development environment, when the iOS app is connecting to a web service I'm running on my laptop.
来自今天早上玩了一下,看来URL加载系统即使你把它设为一个http网址,也会决定使用https。有没有人知道如何禁用这种行为 - 即使只是针对特定的URL?
From a bit of playing around this morning, it appears that the URL loading system will, even if you hand it an http URL, decide to use https instead. Does anyone know how to disable this behaviour -- even just for particular URLs?
推荐答案
请参阅Apple的Info.plist参考了解详情(感谢@ gnasher729)。
See Apple’s Info.plist reference for full details (thanks @gnasher729).
您可以在Info.plist中为特定域添加例外:
You can add exceptions for specific domains in your Info.plist:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>testdomain.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSExceptionRequiresForwardSecrecy</key>
<true/>
<key>NSExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<false/>
<key>NSThirdPartyExceptionRequiresForwardSecrecy</key>
<true/>
<key>NSThirdPartyExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
<key>NSRequiresCertificateTransparency</key>
<false/>
</dict>
</dict>
</dict>
每个例外域的所有密钥都是可选的。发言者没有详细说明任何一个键,但我认为它们都是相当明显的。
All the keys for each excepted domain are optional. The speaker did not elaborate on any of the keys, but I think they’re all reasonably obvious.
(来源:WWDC 2015 session 703,Privacy and Your App,30:18)
(Source: WWDC 2015 session 703, "Privacy and Your App", 30:18)
如果您的应用有充分理由,您还可以使用单个密钥忽略所有应用传输安全限制:
You can also ignore all app transport security restrictions with a single key, if your app has a good reason to do so:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
如果你的应用没有充分的理由,你可能会有被拒绝的风险:
If your app does not have a good reason, you may risk rejection:
将NSAllowsArbitraryLoads设置为true将允许它工作,但Apple非常清楚,他们打算拒绝使用此标志的应用程序而没有特定原因。使用NSAllowsArbitraryLoads的主要原因我可以想到的是用户创建的内容(链接共享,自定义Web浏览器等)。在这种情况下,Apple仍然希望您包含对您控制的URL强制执行ATS的例外。
Setting NSAllowsArbitraryLoads to true will allow it to work, but Apple was very clear in that they intend to reject apps who use this flag without a specific reason. The main reason to use NSAllowsArbitraryLoads I can think of would be user created content (link sharing, custom web browser, etc). And in this case, Apple still expects you to include exceptions that enforce the ATS for the URLs you are in control of.
如果您确实需要访问特定的URL,如果没有在TLS 1.2上提供服务,则需要为这些域编写特定的例外,而不是将NSAllowsArbitraryLoads设置为yes。您可以在NSURLSesssion WWDC会话中找到更多信息。
If you do need access to specific URLs that are not served over TLS 1.2, you need to write specific exceptions for those domains, not use NSAllowsArbitraryLoads set to yes. You can find more info in the NSURLSesssion WWDC session.
请小心共享NSAllowsArbitraryLoads解决方案。它不是Apple的推荐修复。
Please be careful in sharing the NSAllowsArbitraryLoads solution. It is not the recommended fix from Apple.
- kcharwood (感谢@ marco-tolman)
— kcharwood (thanks @marco-tolman)
这篇关于如何在iOS 9中启用App Transport Security加载HTTP URL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
