NSAllowsArbitraryLoadsInWebContent in UIWebView

I was reviewing the documentation for NSAllowsArbitraryLoadsInWebContent:


https://developer.apple.com/library/prerelease/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW60


This states:


"An optional Boolean value that applies only to content to be loaded into an instance of the following classes:

Set this key’s value to

YES
to obtain exemption from ATS policies in your app’s web views, without affecting the ATS-mandated security of your
NSURLSession
connections.

Default value is

NO
.

To support older versions of iOS and OS X, you can employ this key and still manually configure ATS. To do so, set this key’s value to

YES
and also configure the
NSAllowsArbitraryLoads
subkeys.

If you add this key to your

Info.plist
file, then, irrespective of the value of the key, ATS ignores the value of the
NSAllowsArbitraryLoads
key.

Available starting in iOS 10.0 and macOS 10.12."


I was testing this in my app with the iOS 10 simulator (Xcode 8, beta 5), and was not able to get UIWebView to function properly on non-ATS compliant hosts -- I get an error like so:


2016-08-12 11:20:59.666 eBay[2528:1559544] NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9801)


Should we expect this to work for UIWebView in a future beta release, or is the support only available for WKWebView?


I saw Quinn's note, which only mentions WKWebView: https://forums.developer.apple.com/message/15705

Answered by DTS Engineer in 169737022

I took my UIWebView test app, changed the ATS dictionary to set just

NSAllowsArbitraryLoadsInWebContent
, and then pointed the app at that URL. I then set a breakpoint on
-webView:didFailLoadWithError:
and printed the full error:
(lldb) po error
Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred
and a secure connection to the server cannot be made."
UserInfo={_kCFStreamErrorCodeKey=-9801,
NSLocalizedRecoverySuggestion=Would you like to connect to the
server anyway?, NSUnderlyingError=0x610000241c50 {Error
Domain=kCFErrorDomainCFNetwork Code=-1200 "An SSL error has occurred
and a secure connection to the server cannot be made."
UserInfo={NSErrorFailingURLStringKey=https://fyp.ebay.com/
EnterUserInfo?&clientapptype=16, NSLocalizedRecoverySuggestion=Would
you like to connect to the server anyway?,
_kCFNetworkCFStreamSSLErrorOriginalValue=-9801,
_kCFStreamPropertySSLClientCertificateState=0,
NSLocalizedDescription=An SSL error has occurred and a secure
connection to the server cannot be made.,
_kCFStreamErrorDomainKey=3,
NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16, _kCFStreamErrorCodeKey=-9801}},
NSLocalizedDescription=An SSL error has occurred and a secure
connection to the server cannot be made.,
NSErrorFailingURLKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16,
NSErrorFailingURLStringKey=https://fyp.ebay.com/EnterUserInfo?&
clientapptype=16, _kCFStreamErrorDomainKey=3}

Note the failing URL,

https://fyp.ebay.com
. So
NSAllowsArbitraryLoadsInWebContent
is working for the initial URL but failing for this one.

Poking at that server with

TLSTool
I see the following:
$ TLSTool s_client -connect fyp.ebay.com:443
*  input stream did open
* output stream did open
* output stream has space
* protocol: TLS 1.0
* cipher: RSA_WITH_RC4_128_MD5
* trust result: unspecified
* certificate info:
*  0 + rsaEncryption 2048 sha256-with-rsa-signature 'fyp.ebay.com'
*  1 + rsaEncryption 2048 sha256-with-rsa-signature 'Symantec Class 3 Secure Server CA - G4'
*  2  rsaEncryption 2048 sha1-with-rsa-signature 'VeriSign Class 3 Public Primary Certification Authority - G5'
^C

Oi vey! That cypher suite,

RSA_WITH_RC4_128_MD5
, is chock full of obsolete and insecure protocols (RC4, MD5, no forward secrecy).

My guess as to what’s happening here is that

NSAllowsArbitraryLoadsInWebContent
has disabled most, but not all, of the ATS checks for UIWebView. So you can load plain text sites, and sites with other problems (for example,
scgi.ebay.com
doesn’t support forward secrecy), but either RC4 or MD5 is still tripping it up. Please file a bug about this, then post your bug number here, just for the record.

The obvious workaround would be to continue to use

NSAllowsArbitraryLoads
until this problem is resolved.

You should also contact the site owner: the level of security for that site is way below what I would expect to see on the modern Internet.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi,


I can confirm with public release 10.3 the issue is solved. WKWebview is properly using NSAllowsArbitraryLoads and NSAllowsArbitraryLoadsInWebContent flags.


Thanks!

NSAllowsArbitraryLoadsInWebContent in UIWebView
 
 
Q