Ho-Kuo Chan (HPE) created CB-13469:
--------------------------------------
Summary: allow-navigation using * to include sub-domains
translates to invalid ATS NSExceptionDomains XCode9 (9A235) and iOS11
Key: CB-13469
URL: https://issues.apache.org/jira/browse/CB-13469
Project: Apache Cordova
Issue Type: Bug
Components: cordova-ios
Affects Versions: cordova-ios 4.5.0, [email protected]
Environment: XCode 9 (9A235)
iOS11
AFNetworking 3.1.0
cordova-advanced-http 1.5.10
Reporter: Ho-Kuo Chan (HPE)
Assignee: Suraj Pindoria
Previously in XCode 8 and iOS <= 10, SSL Pinning was functioning correctly
using the <allow-navigation> key in config.xml and cordova-advanced-http. Upon
upgrading to XCode 9 and testing on iOS11, it was discovered that our app could
no longer connect to the web server presenting a signed certificate even though
the signing certificate was bundled in the app. Disabling ATS allowed the
connection to proceed.
Through communication with Apple Technical Support, it was determined that when
the <allow-navigation> key contains a trailing "/*" (meaning any path in
android), the corresponding NSExceptionDomain becomes invalid in iOS11 and
XCode 9. For example, if config.xml contains:
<allow-navigation href="https://*.mydomain.com/*>
this gets translated into a Info.plist with:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>mydomain.com/*</key>
but should be:
<key>mydomain.com</key>
>From Apple Tech Support:
The `mydomain.com/*` string is wrong. It should be `mydomain.com`. Keys for
the `NSExceptionDomains` dictionary are DNS names, and only DNS names. You
can’t include URL path fragments. Even literal IP addresses are unsupported in
this context.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
