HTTP losthost scheme for PAC file still working on latest Montery Beta 9, is it by design?

We noticed from the Monterey Beta 8/Beta 9 release notes that -

Support for cleartext HTTP URL schemes for Proxy Automatic Configuration (PAC) is now deprecated. Use only HTTPS URL schemes for PAC. This affects all PAC configurations, including, but not limited to, configurations set via Settings, System Preferences, profiles, and URLSession APIs such as connectionProxyDictionary and CFNetworkExecuteProxyAutoConfigurationURL(::::). If you configure a cleartext HTTP PAC URL, the system may upgrade it to HTTPS during PAC file loads. Web Proxy Auto-Discovery (WPAD) Protocol via DNS isn’t affected. Dynamic Host Configuration Protocol (DHCP) Option 252 WPAD may attempt to upgrade cleartext HTTP URLs to HTTPS during PAC file loads. (61981845)

We have a product that delivers a PAC file through http://localhost, we verified with Beta 8 and Beta 9 builds this didn't cause any problem. The question is, is this expected? The release notes make it sounds like the deprecation is enforced, or maybe this is because we are using "localhost"? If it's expected, are we going to keep this behavior in the final release?

(Because it's pretty late for us to fix the HTTP scheme in time for our product now. We'd be happy if we can get away with it for now and plan for a proper fix in the next release.)

Up vote post of qb_s Down vote post of qb_s
569 views
Posted by
qb_s
Reply
Add a Comment

Replies

We have a product that delivers a PAC file through http://localhost, we verified with Beta 8 and Beta 9 builds this didn't cause any problem. The question is, is this expected? The release notes make it sounds like the deprecation is enforced, or maybe this is because we are using "localhost"?

Great question. If you do change the hostname or IP to a machine offsite and still use HTTP, does this cause a failure? If not I'd like to get a bug report down about this so that it can be further investigated. If you do end up opening a bug report, please respond back with the Feedback ID as I would be interested in this.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

Thanks Matt! Looks like it is not enforced for remote connections either. Filed a ticket FB9716553.

From some logs we came through it looks like the Network framework tried to upgrade the connection to HTTPS and failed (expected because we didn't enable HTTPS on the target host during the test) and then it just fell back.

Still to our own concern - being this close to release we don't expect this behavior to change in GA right? ;p

Posted by
qb_s
Up vote reply of qb_s Down vote reply of qb_s
Add a Comment