iOS9 does not load insecure resources from a secur

2020-01-24 11:50发布

站内问答 / iOS
901 6 2

I am trying to load a page into UIWebView on iOS9 using https:// URL. The page loaded includes CSS and images from an insecure server.

E.g. the page loaded: https://www.example.com/ which includes stylesheet http://www.example.com/style.css and image http://www.example.com/image.jpg

Everything works if the original page is loaded via insecure connection (regular http). Everything works also on iOS8 both via HTTPS and HTTP.

I did set NSAppTransportSecurity to NSAllowsArbitraryLoads in application PLIST file:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Though when loading the page via HTTPS, the images are loaded OK, but CSS files are not. Seems like UIWebView blocks loading insecure resources from a secure page.

Is there any setting of UIWebView that will allow to load CSS via insecure connection?

6条回答
ゆ 、 Hurt°
2楼-- · 2020-01-24 12:30

In your info.plist you need to add the following App Transport Security keys:

NSAppTransportSecurity                                      Dictionary
    NSAllowsArbitraryLoads                                  Boolean       YES
    NSExceptionDomains                                      Dictionary    
        **YOUR-DOMAIN-HERE**                                Dictionary
            NSExceptionAllowsInsecureHTTPLoads              Boolean       YES
            NSIncludesSubdomains                            Boolean       YES
            NSThirdPartyExceptionAllowsInsecureHTTPLoads    Boolean       YES

Hopefully this should work for you.

查看更多
0人赞 添加讨论(0) 举报
家丑人穷心不美
3楼-- · 2020-01-24 12:37

App Transport Security revised in iOS9 release. Now onwards your application is safe from un secure connection. And iOS forces to make secure connection. This can be conflict in your case.

From Apple documentation

If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file

So I think this can make an issue while loading .css file for web pages.

So give a try specify your domain in info.plist and check that .css files are loaded or not.

Edit:

Spotlight: You need to add more keys here in info.plist.

Look at this key NSThirdPartyExceptionAllowsInsecureHTTPLoads this allows a service domain which is not controlled by developer and add an exception to Transport layer to by pass insecure resources.

The structure for adding keys for App Transport Security is below:

enter image description here

For more details and explanation about all keys check this note - App Transport Security Technote

查看更多
0人赞 添加讨论(0) 举报
冷血范
4楼-- · 2020-01-24 12:41

On Xcode 8.3.3 (8E3004b)

It has changed to

App Transport Security Settings > Allow Arbitrary Loads in Web Content > YES

enter image description here

查看更多
0人赞 添加讨论(0) 举报
Emotional °昔
5楼-- · 2020-01-24 12:50

This is not related to ATS. WebKit enforces a mixed content policy that disallows access to certain classes of "active" content (JS, CSS, etc) from being loaded over an insecure connection when the host page is being served over https.

If you examine your page in the Inspector you will see this being reported in the error panel.

Follow up: You can't turn off mixed content blocking. Allowing insecure CSS or JS reduces the security of the entire page to that of the least secure resource. The solution if you must load css/js over http is to load the entire page over http. That way the UI seen by the user correctly reflects the security of the content.

查看更多
0人赞 添加讨论(0) 举报
霸刀☆藐视天下
6楼-- · 2020-01-24 12:52

Below procedure enable me to open not secure content in WKWebView.

  1. First I added Allow Arbitrary Loads in Web Content = YES and Allow Arbitrary Loads = YES in App Transport Security Settings dictionary in info.plist. enter image description here

  2. I have added below wkwebview delegate method:

    func webView(_ webView: WKWebView, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) { completionHandler(.useCredential, URLCredential(trust: challenge.protectionSpace.serverTrust!)) }

    For 2nd step don't forget to register delegate as:

    override func viewDidLoad() { super.viewDidLoad() self.webView.navigationDelegate = self }

查看更多
0人赞 添加讨论(0) 举报
疯言疯语
7楼-- · 2020-01-24 12:54

I use webkit tool but i can't open the link that ssl not allow (some https links) and it's work on swift4 by this code (you must declare delegate before)

override func viewDidLoad() {
    super.viewDidLoad()

    let url = URL(string: currentAttach.fileUrl!)
    let req = URLRequest(url:url!)
    self.webView!.load(req)
    self.webView.navigationDelegate = self

    }
}

extension ViewController: WKNavigationDelegate{

    //MARK:- WKNavigationDelegate
    //For Allow SSL https
    func webView(_ webView: WKWebView, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
        completionHandler(.useCredential, URLCredential(trust: challenge.protectionSpace.serverTrust!))
    }

    func webView(_ webView: WKWebView, didFailProvisionalNavigation navigation: WKNavigation!, withError error: Error) {
        print(error.localizedDescription)
    }

    func webView(_ webView: WKWebView, didStartProvisionalNavigation navigation: WKNavigation!) {
        print("Strat to load")
        startLoading()
    }

    func webView(_ webView: WKWebView, didFinish navigation: WKNavigation!) {
        print("finish to load")
        stopLoading()
    }

}
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(2)