Is it safe to add localhost to App Transport Security (ATS) NSExceptionDomains?

ios iphone https app-transport-security
KlimczakM picture KlimczakM · Jul 21, 2016 · Viewed 15.9k times · Source

Is it safe, in terms of security, to add localhost to ATS NSExceptionDomains for development use? It's not very convenient (and it's easy to forget) to remove those lines from Info.plist file before every commit.

<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>localhost</key>
        <dict>
            <key>NSIncludesSubdomains</key>
            <true/>
            <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
            <true/>
        </dict>
    </dict>
</dict>

Additionally, can Apple reject the application because of this?

Answer

Joseph picture Joseph · Oct 14, 2016

You can now do this for local addresses:

<key>NSAppTransportSecurity</key>    
<dict>
    <key>NSAllowsLocalNetworking</key>
    <true/>
</dict>

Apple has blessed this key as an ATS exception — it has said it will not reject apps for using it. More info here: https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html (search in page for "local")

Related questions

How can I develop for iPhone using a Windows development machine?

Is there any way to tinker with the iPhone SDK on a Windows machine? Are there plans for an iPhone SDK version for Windows? The only other way I can think of doing this is to run a Mac VM …

Read More
Xcode error "Could not find Developer Disk Image"

When attempting to run a build on a connected iOS device in Xcode I get the error: Could not find Developer Disk Image I saw that there was a public beta for Xcode, so I installed it. One of the …

Read More
Install .ipa to iPad with or without iTunes

I have the .ipa from PhoneGap build and I need to test it. I got provisioning profile from Developer account. So my question is: can I directly put my .ipa to iPad to install for testing, or do I have …

Read More