Automatic ATS exception for *.apple.com?

2019-07-18 02:21发布

问题:

I was wondering how a sample app (https://developer.apple.com/library/ios/samplecode/sc1791/Introduction/Intro.html) from Apple was able to establish "clear" http connection without any App Transport Security exception. I thought initially that it was the AVFoundation automatic exception for encrypted HLS mentioned during the WWDC 2016 (lecture 706). But I can't reproduce it with my app.

There seems to be an automatic ATS exception for clear http request to *.apple.com. The very simple ios app code below shows funny results:

#import "ViewController.h"

@interface ViewController ()

@end

@implementation ViewController

- (void) loadUrl:(NSString*)url {
    NSData* data = [[NSData alloc] initWithContentsOfURL:[NSURL URLWithString:url]];

    if ( data == nil ) {
        NSLog (@"Failed %@", url);
    } else {
        NSLog(@"Success %@", url);
    }
}

- (void)viewDidLoad {
    [super viewDidLoad];
    // Do any additional setup after loading the view, typically from a nib.

    setenv("CFNETWORK_DIAGNOSTICS", "3", 1);

    [self loadUrl:@"http://images.apple.com/v/ipad-pro/d/built/styles/main.built.css"];

    // P.S. images.apple.com = 23.204.108.40
    [self loadUrl:@"http://23.204.108.40/v/ipad-pro/d/built/styles/main.built.css"];

    [self loadUrl:@"http://stackoverflow.com/"];
}

- (void)didReceiveMemoryWarning {
    [super didReceiveMemoryWarning];
    // Dispose of any resources that can be recreated.
}

@end

The output log is:

2016-07-08 17:58:33.003 test_ats[1392:79179] CFNetwork diagnostics log file created at: /Users/-------/Library/Developer/CoreSimulator/Devices/67E929A8-9487-404B-87C1-35FB38CD67DE/data/Containers/Data/Application/D4D0CA81-889E-4E58-A4F8-DBDDB516AC1B/Library/Logs/CrashReporter/CFNetwork_com.------.test-ats_1392.nwlrb.log
2016-07-08 17:58:33.085 test_ats[1392:79130] Success http://images.apple.com/v/ipad-pro/d/built/styles/main.built.css
2016-07-08 17:58:33.086 test_ats[1392:79189] App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
2016-07-08 17:58:33.086 test_ats[1392:79130] Failed http://23.204.108.40/v/ipad-pro/d/built/styles/main.built.css
2016-07-08 17:58:33.087 test_ats[1392:79130] Failed http://stackoverflow.com/

The network diagnostic file shows that the first http request passed and two others were blocked by ATS (if -1022 is indeed ATS)

[...]
Response Error
    Request: <CFURLRequest 0x7fa328c4e5c0 [0x10e795a40]> {url = http://23.204.108.40/v/ipad-pro/d/built/styles/main.built.css, cs = 0x0}
      Error: Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"
[...]
Response Error
    Request: <CFURLRequest 0x7fa328c54240 [0x10e795a40]> {url = http://stackoverflow.com/, cs = 0x0}
      Error: Error Domain=kCFErrorDomainCFNetwork Code=-1022 "(null)"
[...]