iOS 9 ... Are WebView(s) exempt from the App Transport Security Exceptions (ATS) rules that block insecure HTTP hosts?

ios uiwebview ios9 wkwebview app-transport-security
Ben Guild picture Ben Guild · Jun 26, 2015 · Viewed 17.8k times · Source

In iOS 9, Apple is blocking insecure HTTP connections for apps, unless specific hosts are whitelisted.

http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/

Are WebView(s) exempt from these rules for obvious reasons, or are we still expected to whitelist hosts that a browser opens... including all links from a given page?

I wasn't sure if this was our responsibility or if that was exempt.

Answer

cannyboy picture cannyboy · Jul 15, 2015

SFSafariViewController can show HTTP without the NSAppTransportSecurity key.

UIWebView and WKWebView require the NSAppTransportSecurity key mentioned above to display HTTP pages.

Related questions

Cannot load HTTP links in UIWebView in iOS 9

I am trying to load HTTP links within UIWebView. The links are from my website so they are reliable. I have searched the internet and found the solution here: How can I add NSAppTransportSecurity to my info.plist file? After …

Read More
How to load local html file into UIWebView

I'm trying to load a html file into my UIWebView but it won't work. Here's the stage: I have a folder called html_files in my project. Then I created a webView in interface builder and assigned an outlet to …

Read More
Can I set the cookies to be used by a WKWebView?

I'm trying to switch an existing app from UIWebView to WKWebView. The current app manages the users login / session outside of the webview and sets the cookies required for authentication into the the NSHTTPCookieStore. Unfortunately new WKWebView doesn't use the …

Read More