App Transport Security blocks requests to http hosted PAC file with NSURLConnection

Originator:calum.h
Number:rdar://30299463 Date Originated:01-Feb-2017 12:12 PM
Status:Closed Resolved:
Product:macOS Product Version:10.12.3 16D32
Classification:Serious Bug Reproducible:Always
 
Summary:
We utilise a proxy PAC file that is distributed to clients via DHCP option 252
Clients are configured for Auto Proxy Discovery.

When using NSURLConnection to retrieve a resource on a HTTPS site,
NSURLConnection first must retrieve the proxy pac file.
Presumably because this proxy PAC file is a HTTP resource, App Transport Security jumps in and blocks the request with the following error:

"App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file."


Steps to Reproduce:
1. Install macOS 10.12.x
2. Configure Auto Proxy Discovery.
3. Confirm that the mac is receiving a PAC file URL and that URL is http with:
# ipconfig getpacket en0

Example output would look like:
proxy_auto_discovery_url (string): http://pac.det.nsw.edu.au/det/itbproxy.pac

4. Run attached python script calling NSURLConnection from Foundation to load a particular text file on a HTTPS server
5. Note the error output from the script.

Expected Results:
The script should execute and the https resource requested by NSURLConnection should load and be output to stdout


Actual Results:
The script fails with the error message from App Transport Security:
"App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file."


Regression:
This issue does not occur under 10.11

Notes:
As mentioned by the error message from ATS adding the following to the info plist in the python script does allow the script to execute correctly

info = bundle.localizedInfoDictionary() or bundle.infoDictionary()
info[u"NSAppTransportSecurity"] = {u"NSAllowsArbitraryLoads": True}

However, this feels like a dirty hack and not something that I want to enable in my Applications.

Comments

Duplicate of 29752997 (Closed)

By calum.h at April 19, 2017, 2:03 a.m. (reply...)

Apple Developer Relations08-Mar-2017 06:51 AM

The original report on your issue has been closed recently. Please note that you will not be able to directly view the original report in order to keep its information confidential.

If you have further questions about this issue, please update your report using the Apple Bug Reporter http://bugreport.apple.com.

By calum.h at April 19, 2017, 2:03 a.m. (reply...)

Apple Developer Relations06-Feb-2017 06:49 PM

Engineering has determined that your bug report is a duplicate of another issue and will be closed.

The open or closed status of the original bug report your issue was duplicated to appears in the yellow "Duplicate of XXXXXXXX" section of the bug reporter user interface. This section appears near the top of the right column's bug detail view just under the bug number, title, state, product and rank.

If you have any questions or concerns, please update your report directly here: http://bugreport.apple.com/.

By calum.h at April 19, 2017, 2:03 a.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!