[jira] [Updated] (CB-13469) allow-navigation using * to include path translates to invalid ATS NSExceptionDomains XCode9 (9A235) and iOS11

Thu, 19 Oct 2017 11:51:38 -0700 

     [ 
https://issues.apache.org/jira/browse/CB-13469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ho-Kuo Chan (HPE) updated CB-13469:
-----------------------------------
    Summary: allow-navigation using * to include path translates to invalid ATS 
NSExceptionDomains XCode9 (9A235) and iOS11  (was: allow-navigation using * to 
include sub-domains translates to invalid ATS NSExceptionDomains XCode9 (9A235) 
and iOS11)

> allow-navigation using * to include path translates to invalid ATS 
> NSExceptionDomains XCode9 (9A235) and iOS11
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: CB-13469
>                 URL: https://issues.apache.org/jira/browse/CB-13469
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: cordova-ios
>    Affects Versions: [email protected], cordova-ios 4.5.0
>         Environment: XCode 9 (9A235)
> iOS11
> AFNetworking 3.1.0
> cordova-advanced-http 1.5.10
>            Reporter: Ho-Kuo Chan (HPE)
>            Assignee: Suraj Pindoria
>
> Previously in XCode 8 and iOS <= 10, SSL Pinning was functioning correctly 
> using the <allow-navigation> key in config.xml and cordova-advanced-http. 
> Upon upgrading to XCode 9 and testing on iOS11, it was discovered that our 
> app could no longer connect to the web server presenting a signed certificate 
> even though the signing certificate was bundled in the app. Disabling ATS 
> allowed the connection to proceed.
> Through communication with Apple Technical Support, it was determined that 
> when the <allow-navigation> key contains a trailing "/*" (meaning any path in 
> android), the corresponding NSExceptionDomain becomes invalid in iOS11 and 
> XCode 9. For example, if config.xml contains:
> <allow-navigation href="https://*.mydomain.com/*>
> this gets translated into a Info.plist with:
>     <key>NSAppTransportSecurity</key>
>     <dict>
>       <key>NSExceptionDomains</key>
>       <dict>
>         <key>mydomain.com/*</key>
> but should be:
>         <key>mydomain.com</key>
> From Apple Tech Support:
> The `mydomain.com/*` string is wrong.  It should be `mydomain.com`.  Keys for 
> the `NSExceptionDomains` dictionary are DNS names, and only DNS names.  You 
> can’t include URL path fragments.  Even literal IP addresses are unsupported 
> in this context.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to