[
https://issues.apache.org/jira/browse/CB-13469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ho-Kuo Chan (HPE) updated CB-13469:
-----------------------------------
Description:
Previously in XCode 8 and iOS <= 10, SSL Pinning was functioning correctly
using the <allow-navigation> key in config.xml and cordova-advanced-http. Upon
upgrading to XCode 9 and testing on iOS11, it was discovered that our app could
no longer connect to the web server presenting a signed certificate even though
the signing certificate was bundled in the app. Disabling ATS allowed the
connection to proceed.
Through communication with Apple Technical Support, it was determined that when
the <allow-navigation> key contains a trailing "/*" (meaning any path in
android), the corresponding NSExceptionDomain becomes invalid in iOS11 and
XCode 9. For example, if config.xml contains:
<allow-navigation href="https://*.mydomain.com/*";>
this gets translated into a Info.plist with:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>mydomain.com/*</key>
but should be:
<key>mydomain.com</key>
>From Apple Tech Support:
The `mydomain.com/*` string is wrong. It should be `mydomain.com`. Keys for
the `NSExceptionDomains` dictionary are DNS names, and only DNS names. You
can’t include URL path fragments. Even literal IP addresses are unsupported in
this context.
was:
Previously in XCode 8 and iOS <= 10, SSL Pinning was functioning correctly
using the <allow-navigation> key in config.xml and cordova-advanced-http. Upon
upgrading to XCode 9 and testing on iOS11, it was discovered that our app could
no longer connect to the web server presenting a signed certificate even though
the signing certificate was bundled in the app. Disabling ATS allowed the
connection to proceed.
Through communication with Apple Technical Support, it was determined that when
the <allow-navigation> key contains a trailing "/*" (meaning any path in
android), the corresponding NSExceptionDomain becomes invalid in iOS11 and
XCode 9. For example, if config.xml contains:
<allow-navigation href="https://*.mydomain.com/*>
this gets translated into a Info.plist with:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>mydomain.com/*</key>
but should be:
<key>mydomain.com</key>
>From Apple Tech Support:
The `mydomain.com/*` string is wrong. It should be `mydomain.com`. Keys for
the `NSExceptionDomains` dictionary are DNS names, and only DNS names. You
can’t include URL path fragments. Even literal IP addresses are unsupported in
this context.
> allow-navigation using * to include path translates to invalid ATS
> NSExceptionDomains XCode9 (9A235) and iOS11
> --------------------------------------------------------------------------------------------------------------
>
> Key: CB-13469
> URL: https://issues.apache.org/jira/browse/CB-13469
> Project: Apache Cordova
> Issue Type: Bug
> Components: cordova-ios
> Affects Versions: [email protected], cordova-ios 4.5.0
> Environment: XCode 9 (9A235)
> iOS11
> AFNetworking 3.1.0
> cordova-advanced-http 1.5.10
> Reporter: Ho-Kuo Chan (HPE)
> Assignee: Suraj Pindoria
>
> Previously in XCode 8 and iOS <= 10, SSL Pinning was functioning correctly
> using the <allow-navigation> key in config.xml and cordova-advanced-http.
> Upon upgrading to XCode 9 and testing on iOS11, it was discovered that our
> app could no longer connect to the web server presenting a signed certificate
> even though the signing certificate was bundled in the app. Disabling ATS
> allowed the connection to proceed.
> Through communication with Apple Technical Support, it was determined that
> when the <allow-navigation> key contains a trailing "/*" (meaning any path in
> android), the corresponding NSExceptionDomain becomes invalid in iOS11 and
> XCode 9. For example, if config.xml contains:
> <allow-navigation href="https://*.mydomain.com/*";>
> this gets translated into a Info.plist with:
> <key>NSAppTransportSecurity</key>
> <dict>
> <key>NSExceptionDomains</key>
> <dict>
> <key>mydomain.com/*</key>
> but should be:
> <key>mydomain.com</key>
> From Apple Tech Support:
> The `mydomain.com/*` string is wrong. It should be `mydomain.com`. Keys for
> the `NSExceptionDomains` dictionary are DNS names, and only DNS names. You
> can’t include URL path fragments. Even literal IP addresses are unsupported
> in this context.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
