App Transport Security should not block http requests to localhost
| Originator: | mteper | ||
| Number: | rdar://22060893 | Date Originated: | 7/29/2015 |
| Status: | Open | Resolved: | |
| Product: | iOS | Product Version: | 9 |
| Classification: | Security | Reproducible: | Yes |
Summary: ATS makes perfect sense and I commend Apple on taking a strong stance in favor of security, but blocking localhost requests does not make sense and only makes developer life needlessly complicated. Setting up multiple (or even just one!) SSL endpoints on a single machine development environment is a huge hassle and serves no security benefit. Please opt the localhost out of ATS blocking by default! NOTE: Yes, it is possible to opt our by adding keys to the Info.plist file, but again, this is unnecessary hassle. Steps to Reproduce: Create an app and have it contact a localhost URL. Launch app in XTractor and observe a message along these lines in the log: App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file. Expected Results: HTTP calls to localhost should not be blocked. Actual Results: App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file. Version: iOS9 in Xcode 7 beta 4 Notes: Reproducible 100% of the time. Configuration: Macbook Air
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!