I am trying to load a page into UIWebView on iOS9 using https:// URL. The page loaded includes CSS and images from an insecure server.
E.g. the page loaded: https://www.example.com/ which includes stylesheet http://www.example.com/style.css and image http://www.example.com/image.jpg
Everything works if the original page is loaded via insecure connection (regular http). Everything works also on iOS8 both via HTTPS and HTTP.
I did set NSAppTransportSecurity to NSAllowsArbitraryLoads in application PLIST file:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
Though when loading the page via HTTPS, the images are loaded OK, but CSS files are not. Seems like UIWebView blocks loading insecure resources from a secure page.
Is there any setting of UIWebView that will allow to load CSS via insecure connection?
This is not related to ATS. WebKit enforces a mixed content policy that disallows access to certain classes of "active" content (JS, CSS, etc) from being loaded over an insecure connection when the host page is being served over https.
If you examine your page in the Inspector you will see this being reported in the error panel.
Follow up: You can't turn off mixed content blocking. Allowing insecure CSS or JS reduces the security of the entire page to that of the least secure resource. The solution if you must load css/js over http is to load the entire page over http. That way the UI seen by the user correctly reflects the security of the content.