App Transport Security

  1. 7 months ago

    C T

    8 Jan 2019 Ontario, Canada

    I just updated to Xojo 2018r4 and followed the blog on App Transport Security as I was updating an old app. The general waiver in info.plist

    <key>NSAppTransportSecurity</key>
    <dict>
      <!-- Include to allow all connections; avoid if possible -->
      <key>NSAllowsArbitraryLoads</key>
      <true/>
    </dict>

    works perfectly. But when I try to designate just one specific website in the plist without "https" it doesn't work for me. Anybody else tried it yet?

    I just tweaked the Info.plist in the Cats example to remove the arbitrary loads key and it still seems to be working.

    Examples/Communication/Web Services/CatAPI

    Info.plist now looks like this:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>NSAppTransportSecurity</key>
    <dict>
    		<key>NSExceptionDomains</key>
    		<dict>
    			<key>thecatapi.com</key>
    			<dict>
    				<key>NSIncludesSubdomains</key>
    				<true/>
    				<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
    				<true/>
    			</dict>
    		</dict>
    </dict>
    </dict>
    </plist>
  2. Paul L

    8 Jan 2019 Xojo Inc Answer http://docs.xojo.com

    I just tweaked the Info.plist in the Cats example to remove the arbitrary loads key and it still seems to be working.

    Examples/Communication/Web Services/CatAPI

    Info.plist now looks like this:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>NSAppTransportSecurity</key>
    <dict>
    		<key>NSExceptionDomains</key>
    		<dict>
    			<key>thecatapi.com</key>
    			<dict>
    				<key>NSIncludesSubdomains</key>
    				<true/>
    				<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
    				<true/>
    			</dict>
    		</dict>
    </dict>
    </dict>
    </plist>
  3. C T

    8 Jan 2019 Ontario, Canada

    Sorry Paul, but that is an invalid test. I just went to that web site and found that it is "https" (secure) anyway
    You need an unsecured page to truly test this. Here is one so you don't have to look around:
    http://www.quotationspage.com

  4. Paul L

    8 Jan 2019 Xojo Inc http://docs.xojo.com

    You’re right. Looks like TheCatAPI updated to https some time last year and I hadn’t noticed.

    I’ll take a peek at your URL when I am back in the office.

  5. 4 months ago

    Aurelian N

    Apr 5 Pre-Release Testers, Xojo Pro

    Hello, Paul

    And how do you implement this in OSX Apps ? specially that you need to run that in debug mode for testing ?

    In my case I have a service provider that offer us a connector with a localhost url

    http://localhost:8081/service

    What can I do in this case ? I cannot even test the code as I have that error thrown. I know it is not XOJO but in some cases we really don't need https so is there a way to add that on build time to have those options added on debug as well ?

    Thanks in advance.

  6. Aurelian N

    Apr 5 Pre-Release Testers, Xojo Pro

    @Aurelian N Hello, Paul

    And how do you implement this in OSX Apps ? specially that you need to run that in debug mode for testing ?

    In my case I have a service provider that offer us a connector with a localhost url

    http://localhost:8081/service

    What can I do in this case ? I cannot even test the code as I have that error thrown. I know it is not XOJO but in some cases we really don't need https so is there a way to add that on build time to have those options added on debug as well ?

    Thanks in advance.

    Done, fix it , it seems that I had wrong data in the plist file.

    Thanks

or Sign Up to reply!