iOS9不会从安全页面加载不安全的资源(SSL / HTTPS) [英] iOS9 does not load insecure resources from a secure page (SSL/HTTPS)
问题描述
我正在尝试使用https:// URL将页面加载到iOS9上的UIWebView中。加载的页面包括来自不安全服务器的CSS和图像。
I am trying to load a page into UIWebView on iOS9 using https:// URL. The page loaded includes CSS and images from an insecure server.
例如。加载的页面: https ://www.example.com/ ,其中包含样式表 http ://www.example.com /style.css 和图片 http ://www.example.com/image.jpg
E.g. the page loaded: https://www.example.com/ which includes stylesheet http://www.example.com/style.css and image http://www.example.com/image.jpg
如果原始页面是通过不安全连接(常规http)加载的,那么一切正常。 iOS8上的所有内容都可以通过HTTPS和HTTP工作。
Everything works if the original page is loaded via insecure connection (regular http). Everything works also on iOS8 both via HTTPS and HTTP.
我确实在应用程序PLIST文件中将 NSAppTransportSecurity 设置为 NSAllowsArbitraryLoads :
I did set NSAppTransportSecurity to NSAllowsArbitraryLoads in application PLIST file:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
虽然通过HTTPS加载页面时,图像加载正常,但CSS文件不加载。似乎 UIWebView 阻止从安全页面加载不安全的资源。
Though when loading the page via HTTPS, the images are loaded OK, but CSS files are not. Seems like UIWebView blocks loading insecure resources from a secure page.
是否有任何 UIWebView 的设置允许通过不安全连接加载CSS?
Is there any setting of UIWebView that will allow to load CSS via insecure connection?
推荐答案
这与ATS无关。 WebKit强制执行混合内容策略,当通过https提供主机页面时,该策略禁止访问某些活动内容(JS,CSS等),而不是通过不安全的连接加载。
This is not related to ATS. WebKit enforces a mixed content policy that disallows access to certain classes of "active" content (JS, CSS, etc) from being loaded over an insecure connection when the host page is being served over https.
如果您在检查器中检查您的页面,您将在错误面板中看到此报告。
If you examine your page in the Inspector you will see this being reported in the error panel.
跟进:您无法关闭混合内容阻止。允许不安全的CSS或JS会将整个页面的安全性降低到安全性最低的资源的安全性。如果你必须通过http加载css / js的解决方案是通过http加载整个页面。这样,用户看到的UI正确反映了内容的安全性。
Follow up: You can't turn off mixed content blocking. Allowing insecure CSS or JS reduces the security of the entire page to that of the least secure resource. The solution if you must load css/js over http is to load the entire page over http. That way the UI seen by the user correctly reflects the security of the content.
这篇关于iOS9不会从安全页面加载不安全的资源(SSL / HTTPS)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
