ATS Exception for all media resources
| Originator: | joshsloat | ||
| Number: | rdar://31097287 | Date Originated: | 3/16/2017 |
| Status: | Open | Resolved: | |
| Product: | iOS + SDK | Product Version: | |
| Classification: | Enhancement Request | Reproducible: | Always |
Summary: We have an iPad app that allows the user to search the web (custom non web view UI) to find and download images to include in a presentation. The user enters a search term, thumbnails are presented in a collection view and the user is allowed to select an image, that will then be downloaded and added to her canvas. The search and retrieval are using Google image search APIs. We have no control over where this content will come from; much like browsing the web in general, we could be pulling content from any arbitrary URL from any server in the world and have no control over the security configurations of these machines. This presents obvious issues with ATS. We do not use a web view anywhere in this flow, so NSAllowsArbitraryLoadsInWebContent does not apply. Further, NSAllowsArbitraryLoadsForMedia is documented to only work for media that the app loads using the AV Foundation framework (rather than any/all media including images). In investigating this, I have: * Watched WWDC 2016 Session 706 * Read about all transport security keys: https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW33 * Read Quinn “The Eskimo!”s very detailed forum posts on the matter: https://forums.developer.apple.com/message/200894#200894 and https://forums.developer.apple.com/message/15705#15705 Following this guidance: https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW36 Our current approach is to use ATS NSExceptionDomains when communicating with servers whose security attributes we control, but then also enable NSAllowsArbitraryLoads to allow downloading of images from arbitrary URLs. I'm fairly certain that there's no way to accomplish what we need to accomplish without this approach, but once enforced (TBD 2017), it will require escalated review - and for an exception to be granted by the review team. Based on everything I have read, I believe this to be a "reasonable justification", but it would be nice if instead we had access to a new key - something like NSAllowsArbitraryLoadsForMedia - that would allow for downloading media resources/assets like images from anywhere, as well. Steps to Reproduce: Use any API that attempts to access image resources from servers that are not ATS compliant. Expected Results: It would be nice for this to not require a special exception from the App Store review team to work as intended. Actual Results: Without enabling NSAllowsArbitraryLoads, the request will fail depending on the image's host server's configuration. Version: iOS 9 and above Configuration: Any iOS device
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!