iOS

App Transport Security and LocalHost

With iOS9 and OS X 10.11 Apple has introduced App Transport Security which requires a secure connection be made for all NSURLSession connections.  While this encourages developers to use best practices for secure connections this can create interesting side effects if you are using an embedded web server.

If you are using an embedded web service like the excellent GCDWebServer project and target iOS9 you will see the following messages in your Xcode console:

WebServer booted: http://localhost:12344/
2015-07-18 20:34:07.372 myApp[615:6289] App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app’s Info.plist file.

To work around this problem you need to create an NSExceptionDomains for localhost in your application’s Info.plist.  As of iOS9 beta 3 the following Info.plist entries allows your application’s UIWebView or WKWebView to use localhost to access your embedded web server.

<key>NSAppTransportSecurity</key>
<dict>
   <key>NSExceptionDomains</key>
   <dict>
       <key>localhost</key>
       <dict>
       	<key>NSTemporaryExceptionAllowsInsecureHTTPSLoads</key>
           <false/>        	
           <key>NSIncludesSubdomains</key>
           <true/>
           <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
           <true/>
           <key>NSTemporaryExceptionMinimumTLSVersion</key>
           <string>1.0</string>
           <key>NSTemporaryExceptionRequiresForwardSecrecy</key>
           <false/>
       </dict>
   </dict>
</dict>