Does iOS11 not block redirect to http?

Question

tailor OP

Created Dec ’17

Replies 7

Boosts 0

Views 5.1k

Participants 3

In my app I currently use the default ATS Behavior, no extra info.plist entry.

When opening a link I rely on the following delegate method to filter non HTTPS-Content.

-(void)webView:(UIWebView *)webView didFailLoadWithError:(NSError *)error;

Utilizing "didFailLoadWithError", I display the error using an Alert.

I currently have the issue that I have an https-request, that redirects to an http-URL.

https://referalURL.com -> http://SomeDomain.com

In Xcode 9.2, iOS 10.3 this causes an NSError (Code -1022, "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection."). Which is what I want.

In Xcode 9.2, iOS 11.2 I don't get any Error.

How can I prevent this behaviour?

Boost

Answer 1

DTS Engineer OP

Apple

Dec ’17

ATS should block HTTP connections, even thought resulting from an HTTPS redirect. If you implement the

-URLSession:task:willPerformHTTPRedirection:newRequest:completionHandler:

delegate method, does it get called? If so, what do you see in the

URL

property of the

newRequest

parameter?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

1

Answer 2

tailor OP

Dec ’17

Implementing the

URLSession:task:willPerformHTTPRedirection:newRequest:completionHandler:

delegate method, I do see the redirectionURL, thanks for the suggestion. I think I now need to get more info from the server team on how the specific redirection is actually implemented. since I am only seeing https-referrals and the behavior is still as before.

Could this error (-1022, appearing only on <iOS11) be caused by implementing Non-HTTPs-Resources on the (newRequest.URL) destination-Page as well?

0

Answer 3

DTS Engineer OP

Apple

Dec ’17

I’m sorry but I don’t really understand the context of your latest questions. When you catch the redirect:

What is the HTTP status code?
What do you see in the
```
Location
```
header?

Note To see these you’ll need to force cast

response

to an

NSHTTPURLResponse

and then access the

statusCode

and

allHeaderFields

properties.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

1

Answer 4

tailor OP

Dec ’17

Here's my implementation:

- (void)webViewLoadRequestWithSession:(BOOL)session
{
    NSURL *url = [NSURL URLWithString:@"https://referalURL.com"];
    NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:url];

    if (session == NO)
    {
        [self.webView loadRequest:request];
    }
    else
    {
        NSURLSessionConfiguration *ephemeralConfiguration =
        [NSURLSessionConfiguration ephemeralSessionConfiguration];

        NSOperationQueue *oQueue = [NSOperationQueue mainQueue];

        NSURLSession *ephemeralSession =
        [NSURLSession sessionWithConfiguration:ephemeralConfiguration
                                      delegate:self
                                 delegateQueue:oQueue];

        NSURLSessionDataTask *task =
        [ephemeralSession dataTaskWithRequest:request
                            completionHandler:^(NSData *data,
                                                NSURLResponse *response,
                                                NSError *error)
         {
             if (error == nil)
             {
                 NSString *urlString = request.URL.absoluteString;
                 [self.webView loadRequest:request];
             }
             else
             {
                 [self showErrorWithTitle:@"Error"
                                  message:error.localizedDescription];
             }
         }];

        [task resume];
    }

}


- (void)URLSession:(NSURLSession *)session
              task:(NSURLSessionTask *)task
willPerformHTTPRedirection:(NSHTTPURLResponse *)response
        newRequest:(NSURLRequest *)request
completionHandler:(void (^)(NSURLRequest *))completionHandler
{
    NSInteger statusCode = response.;
    NSLog(@"statusCode: %i",statusCode);

    NSDictionary *allHeaderFields = response.allHeaderFields;
    NSString *locationHeader = [allHeaderFields objectForKey:@"Location"];
    NSLog(@"locationHeader: %@",locationHeader);

    NSString *newURLString = request.URL.absoluteString;
    NSLog(@"newURLString: %@",newURLString);

    completionHandler(request);
}


- (BOOL)webView:(UIWebView *)webView
shouldStartLoadWithRequest:(NSURLRequest *)request
navigationType:(UIWebViewNavigationType)navigationType
{
    NSURL *requestURL = request.URL;
    NSString *scheme = [requestURL.scheme lowercaseString];

    BOOL startLoading = [scheme isEqualToString: @"https"];

    return startLoading;
}

When calling

[self webViewLoadRequestWithSession:YES];

On iOS 10 the delegate method (willPerformHTTPRedirection) delivers:

statusCode: 303
locationHeader: http://www.SomeDomain.com
newURLString: http://www.SomeDomain.com

Calling the completionHandler, I get the above stated ATS error -1022 in all cases.

On iOS 11 the delegate method (willPerformHTTPRedirection) delivers:

statusCode: 303
locationHeader: http://www.SomeDomain.com
newURLString: https://www.SomeDomain.com

Calling the completionHandler, error == nil and the website will load, yet in some cases the css and some other ressources are missing.

Also, with this implementation of the delegate callback I don't see the https://referalURL.com at all, if I call

[self webViewLoadRequestWithSession:NO];

The requestURL will be https://referalURL.com

0

Answer 5

DTS Engineer OP

Apple

Dec ’17

On iOS 11 the delegate method (willPerformHTTPRedirection) delivers:
statusCode: 303
locationHeader:
http://www.SomeDomain.com
newURLString:
https://www.SomeDomain.com

Note how the

Location

header is HTTP but the actual URL is HTTPS. The most common cause for that sort of thing is HTTP Strict Transport Security (HSTS). It’s hard to make any concrete assertions about that without knowing the actual URLs in question but that’s what I’d recommend that you investigate.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 6

jzilske OP

Jan ’18

I tried to find authoritative information since when HSTS is supported on iOS but failed. Could this be since iOS 11?

0

Answer 7

DTS Engineer OP

Apple

Feb ’18

HSTS has been around for a while (I had a quick look and I found evidence that it’s supported in at least iOS 8 and possibly earlier) but the preload list gets bigger with every release so there were a lot of folks who first tripped over this in iOS 11.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0