Using XCode7/Swift2 and trying to load a webpage, I keep getting blocked by App Transport Security (ATS) -- and the reason seems to be that ATS doesn't work for the .ninja web extension.
Meaning, you can add an exception for domains.com and you can go to this site in a webview. But, you cannot add an exception for domains.ninja, although this is a valid web address. I have tested this out fully.
Right now the only way I am able to load content from somewebsite.ninja is if I completely turn ATS off in my Info.plist file (NSAppTransportSecurity > NSAllowsArbitraryLoads > YES), but I know this isn't the right way to do things. I'm also worried that this may cause issues when I submit my app to the app store when it's done.
Does anyone know how to add an exception to ATS for the .ninja domain?
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>domains.com</key>
<dict>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>domains.ninja</key>
<dict>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.1</string>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
The above will allow you to load up domains.com but not domains.ninja in a webview, even though the keys/options are exactly the same other than the domain name extension.
I was able to get the domains.ninja page to load in a UIWebView but I had to include all of the other domains that the page referenced - various analytics, CDN and tracking sites.
The excerpt from my info.plist is -
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>domains.ninja</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>www.geoplugin.net</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>marketo.net</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>googleapis.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>netdna.bootstrapcdn.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>www.google-analytics.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>mktoresp.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>gstatic.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSThirdPartyExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
So, in the end it is probably simpler to just turn ATS off in general and add exceptions for domains that do support TLS.