Displaying web images valid excuse for using NSAllowsArbitraryLoads?
Until now, we have only been setting NSAllowsLocalNetworking in our app's ATS settings.
However, are now introducing link previews in our chat functionality. Links posted by a user are used to create a preview containing both the linked webpage's image and favicon.
The problem is that some links posted by users have favicons/images in clear-text (HTTP) format.
Is this a valid reason for using NSAllowsArbitraryLoads?
I am not 100% sure on the current status of ATS enforcement and whether user-generated links would be an acceptable exception.
(We are using the Kingfisher library to display these images in a UIImageView so NSAllowsArbitraryLoadsForMedia with AVFoundation is not possible.)
Although I cannot be certain what Apple will consider a valid reason (since they haven't started enforcing, so we have no information to go off of), having user driven content in the app seems like it would be one of those scenarios that would require the broader NSAllowsArbitraryLoads exception.
What I would recommend, in order to show Apple that you've done all that you can to secure any communication you can, would be to do the opposite of the most common technique. Normally, apps will leave ATS enabled (by leaving the default of NSAllowsArbitraryLoads as NO) while adding exception domains that disable ATS for certain domains. If I were you, I would do the opposite - set NSAllowsArbitraryLoads to YES, since you can't know what URLS might need ATS exceptions, then add exception domains for the domains that you control in the app (assuming there is some main server you get most of the app content from). This ensures communications with your server are secured using ATS standards, while all outside of the known servers will be exempt from ATS requirements.So turn ATS off, but turn it back on for domains in your control.
From this great article on some common ATS configurations, you can see how you would set things up this way ("Example C: ATS disabled, with some exceptions"):
To me, this would be a good sign to Apple that you are trying as much as possible to comply with the spirit of ATS.