I have code to synchronously load an image from a website:
NSURL* url = [NSURL URLWithString:[NSString stringWithCString:urlString encoding:NSUTF8StringEncoding]];
returnImage = [[NSImage alloc] initWithContentsOfURL:url];
And also this code to synchronously load a file.
NSURL * url = [NSURL URLWithString:[NSString stringWithCString:pURL encoding:NSUTF8StringEncoding]];
NSError * error;
NSData * dataFromFileAtURL = [NSData dataWithContentsOfURL:url options:NSDataReadingUncached error:&error];
As an aside, I have just discovered that dataFromContentsOfUrl is not recommended for this purpose, and I guess I will be changing it to use [NSURLConnection sendSynchronousRequest]. But for now, this is the code, and I suspect my question applies to either version.
Both of these are correctly downloading files from the internet, and both are refusing to download insecure http: links. Refusing insecure links is the behavior I need, so a more trusting soul than I am might conclude I was done. But I can't find any documentation that guarantees that they will be refused. I am concerned that there may be circumstances where these APIs may accept insecure links. Is there documentation somewhere about how to control this? Google searches have not proven fruitful.
This behavior is documented in the NSAppTransportSecurity documentation and the Preventing Insecure Network Connections documentation. These documents explain where ATS is applied, what rules it enforces, and how to enable exceptions to those rules.