I’m implementing the Xojo.Net.HTTPSocket for the first time instead of the classic HTTPSocket (why oh why did Xojo make some things in the new framework so different!).
In the LR, it says the following about OS X and iOS:
Starting with iOS 9 and OS X 10.11, you have to use secure “https” connections or you will get this error: “The resource could not be loaded because the App Transport Security policy requires the use of a secure connection”. To continue to connect to non-secure “http” connections that you do not control you’ll have to [Online] provide a plist with a temporary exception specified for each site you are accessing via http[/quote]
Now I do not understand this because first of all, why would Apple try to restrict access to non-HTTPS sites? There’s tons of possible non-HTTPs sites out there. Second, I myself am running a non-HTTPS site for providing some info that my app connects to and gets information. I don’t have any plist file as the LR talks about and I have not received any exceptions or errors. So I’m not sure where this note applies. I’m running High Sierra.
So where does this apply?
This Policy goes into action in Sandboxed Apps (which applies to iOS in general and macOS for MAS Apps).
Thank you. Since I’m not MAS or Sandboxed it makes no difference.
So then are users of an app that are trying to access a non-HTTPs site basically hosed? That’s crazy. Not every web page has to be secure!
Not again this discussion please. You are right, but it does not hurt and does not cost any additional cent to offer HTTPS connections today. I’m with Apple at this point and say “Every connection should be secured at least with minimum standard.”.
Not if the Dev is acting accordingly.
Please don’t missunderstand me. I don’t say you do anything wrong. Instead i say, you can ignore all this at the moment, as long as you don’t plan to support iOS and/or MAS Sandboxing.
[quote=354510:@Sascha S]Not again this discussion please. You are right, but it does not hurt and does not cost any additional cent to offer HTTPS connections today. I’m with Apple at this point and say “Every connection should be secured at least with minimum standard.”.
Oh, I’m not going top attempt to re-litigate that issue. It’s more a question of: If I have an app that a user wants to use to connect an HTTPSocket to an un-secure website, this is not possible - right? Other than putting exceptions in the plist file, I don’t see how to do it but maybe I’m not understanding something.
The big question for me right now was answered. I was afraid of having some exception thrown on some user someplace because I didn’t have a secure connection. But you answered that so thank you.