HTMLViewer with insecure website

I have a small project for a local inmobiliaria, part of which requires the loading of a web page in order to get an appointment from a public government web page:-

This page, and indeed the whole site, sports an issue with its certificate which shows a dire warning in all web browsers I have installed (Safari, Firefox and chrome)
While this may not be ideal, its a government site and there is less chance of getting them to update the certification than expecting anyone to turn up on time over here in the beautiful country of Espaa, ignoring these warnings obviously allows the site to load without problems.

anyway sob story over, is there a way to force this web site to load in the Xojo HTMLViewer?

Mac, 10.13.6, 2016r3, 2019r1.1 and r2 in use.



That site loads fine for me - the certificate is valid. (testing from the USA, macOS 10.14, Safari 13.0.1)

Thanks Michael,
sadly that is not the case on any machine we have over here.
On Safari (13.0.1) I get a red lock icon with a line through and in vary large bold text ‘This Connection Is Not Private’ with other warnings about the site stealing data and personal information.

when I try it in a simple Xojo HTMLViewer using the link above it returns this in my error textfield (19r2), ‘ERR No:-’ is my added text to the textarea:-

ERR No:–1202 The certificate for this server is invalid. You might be connecting to a server that is pretending to be “” which could put your confidential information at risk.

and thats all I get, the viewer shows absolutely nothing.

the mobile version of Safari on my iPhone does load it without interaction but does inform that the connection is insecure.

therefore the original question remains, if this issue appears is it possible to force the load in HTMLViewer as I can on any standard browser? or are there suggestions as to what may be happening.

have you set the plist key for allowing insecure connections ?

search the forums for NSAllowsArbitraryLoads

Hi Norman,

nope, and now you say that, I have looked more closely at the user guide, where ‘App Transport Security’ (which immediately had no meaning to me) now takes me in to a new code place.

that seems to be a solution in my development, but is my understanding this is only Mac, which I use exclusively obviously.
sadly the heathens who are to use this app will be on windows.

I am getting the feeling that I do not want to waste time working on making the inbuilt HTMLViewer do things I would expect to work out of the box, but then again why should I expect that, I have used Xojo for years and that expectation is not the case elsewhere so what am I thinking!.

time to refactor customer expectations to meet their budget, which in this case is actually achievable.

Thanks for the replies, much appreciated.

I can load it without getting any warning. What happens if you restart in Save mode and reach the site?
In other words, could it not be your machine’s settings creating the issue?

Hi Carlo,

I suppose that is a logical possibility, although I have not seen this on any other web site that I visit.
it is also the case on my MacMini, my wifes MacBookPro, the windows computers in the office of my customer, my daughters win laptop and a Chromebook of a grandchild.
all are on completely different networks and located in the Alicante region of Spain where this web site is designed to be used.

this is the warning I get in google, I do not know how to post a picture so this is the text.

Dangerous Not secure or Dangerous
We suggest you don’t enter any private or personal information on this page. If possible, don’t use the site.

Not secure: Proceed with caution. Something is severely wrong with the privacy of this site’s connection. Someone might be able to see the information you send or get through this site.

You might see a “Login not secure” or “Payment not secure” message.

Dangerous: Avoid this site. If you see a full-page red warning screen, the site has been flagged as unsafe by Safe Browsing. Using the site will likely put your private information at risk.

the browser shows a big red triangle with ‘Not Secure’ next to it, so its there second worst level.

I do not believe anything in the systems over here could cause this to happen(but stand to be corrected), in my own case I have never changed the settings in Chrome from how it boots up from install yesterday.
I can not imagine how this could be generated by a setting in the local machine, and that setting to be able to effect three completely different browsers.

does anyone know what I might do to get more details as to the issue from the browser?

on safari I am able to look at the certificate and it shows the error to be this:-

“AC RAIZ FNMT-RCM” certificate is not trusted

the certificate is issued by:- AC Administracin Pblica and expires 17/01/2021

I suspect there is nothing I am able to do about this.

Sorry, I was under the impression the issue was affecting your machine only.
And the fact that it affects three browsers is by itself baffling. Yet I’d try clearing the browser’s history (History > Clear History), quit Safari and re-open it.

Thanks Carlo,

that has all been done, but if safari is saying the certificate is not trusted I suspect the system clear out is never going to do anything.
I checked my safari and it is actually 13.0.2 version, but that should not matter.

I have found a windows 7 bootcamp in my MacMini and with it running the version of Firefox it has, perhaps 6 months old, it loads the page but has a yellow triangle on top of a padlock symbol which when clicked says the site is ‘not secure and has weak encryption’ plus ‘other people can view or modify information or the web sites behaviour’.

so the outcome would seem to be that I will have to make some text based instructions for the users to use their own browsers as I am not going to invest time in a property, that I would like the inbuilt HTMLViewer to have, which is ‘allow_insecure_browsing=true’.


I get the warning with Safari and Chrome, the page doesn’t open. With Firefox the page opens but there is a yellow triangle over the lock next to the URL. Weird that others don’t get a warning.

Thank You Alberto,

I wish the results were bad in non Spanish speaking countries and good here in a Spanish speaking one!

So here in the heat of early autumn I will sit in our pool tomorrow and ignore this issue for a while, eventually the client will notice I am not online and probably join me in the pool and have a beer, we will both ignore the issue for a good while.

at some point we will both get a call from our much better halves, they will inquire what the heck we are doing out of the offices.
when they get here I suspect they will force me to open a nice bottle of fizzy stuff and then we will have to listen to all the reasons why we should not have got into the pool in the first place.

after a bit of tapa its likely no one will actually care too much about all that.
tomorrow we will write a series of highly informative post-it note with instructions how to copy and paste a URL into a browser, which is likely how the office staff do it already, before we all decided to ‘improve’ productivity with an application.

having read this scenario back to myself I think we will just invite the staff around for drinks and a dip in the pool where we can ask them how they think we can make it a bit easier for them, perhaps waterproof post-it notes?

Thanks to all who input, the problem is resolved.

Did you try NSURLRequestCertificateFilterMBS class in MBS Xojo Plugins?
It allows you to ignore certificates for a host.

hi Christian,
no I did not, thanks for the idea but sadly this little project has nothing in it to buy your great plugins.
plus as I mentioned above, this will be developed on a Mac but deployed on non Mac machines.

hi Christian,

for completeness I did test your plugin and it does exactly what I hoped and opened the website without issue on my Mac.