iOS9 does not load insecure resources from a secure page (SSL/HTTPS)

Related searches

I am trying to load a page into UIWebView on iOS9 using https:// URL. The page loaded includes CSS and images from an insecure server.

E.g. the page loaded: https://www.example.com/ which includes stylesheet http://www.example.com/style.css and image http://www.example.com/image.jpg

Everything works if the original page is loaded via insecure connection (regular http). Everything works also on iOS8 both via HTTPS and HTTP.

I did set NSAppTransportSecurity to NSAllowsArbitraryLoads in application PLIST file:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSAllowsArbitraryLoads</key>
    <true/>
</dict>

Though when loading the page via HTTPS, the images are loaded OK, but CSS files are not. Seems like UIWebView blocks loading insecure resources from a secure page.

Is there any setting of UIWebView that will allow to load CSS via insecure connection?

This is not related to ATS. WebKit enforces a mixed content policy that disallows access to certain classes of "active" content (JS, CSS, etc) from being loaded over an insecure connection when the host page is being served over https.

If you examine your page in the Inspector you will see this being reported in the error panel.


Follow up: You can't turn off mixed content blocking. Allowing insecure CSS or JS reduces the security of the entire page to that of the least secure resource. The solution if you must load css/js over http is to load the entire page over http. That way the UI seen by the user correctly reflects the security of the content.

ios, Allowing insecure CSS or JS reduces the security of the entire page to that of the I use webkit tool but i can't open the link that ssl not allow (some https links)� From here, you will be able to see what is causing your page to be non-secure. In this example, the page is loading non-secure resources. If you refresh the page, Google will show you the specific resources that are causing problems. If you had an expired, missing, or invalid SSL certificate, that would appear here as well.

In your info.plist you need to add the following App Transport Security keys:

NSAppTransportSecurity                                      Dictionary
    NSAllowsArbitraryLoads                                  Boolean       YES
    NSExceptionDomains                                      Dictionary    
        **YOUR-DOMAIN-HERE**                                Dictionary
            NSExceptionAllowsInsecureHTTPLoads              Boolean       YES
            NSIncludesSubdomains                            Boolean       YES
            NSThirdPartyExceptionAllowsInsecureHTTPLoads    Boolean       YES

Hopefully this should work for you.

Preventing Insecure Network Connections, On This Page ATS blocks connections that don't meet minimum security requirements. action your app must take is to use secure URLs, like those beginning with https . Otherwise, ATS denies the connection and prints a console message: App Transport Security has blocked a cleartext HTTP (http://) resource load since� iOS9 ne charge pas les ressources non sécurisées à partir d'une page sécurisée (SSL / HTTPS) J'essaie de charger une page dans UIWebView sur iOS9 en utilisant https: / / URL. La page chargée comprend CSS et des images d'un serveur non sécurisé.

App Transport Security revised in iOS9 release. Now onwards your application is safe from un secure connection. And iOS forces to make secure connection. This can be conflict in your case.

From Apple documentation

If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file

So I think this can make an issue while loading .css file for web pages.

So give a try specify your domain in info.plist and check that .css files are loaded or not.

Edit:


Spotlight: You need to add more keys here in info.plist.

Look at this key NSThirdPartyExceptionAllowsInsecureHTTPLoads this allows a service domain which is not controlled by developer and add an exception to Transport layer to by pass insecure resources.

The structure for adding keys for App Transport Security is below:

For more details and explanation about all keys check this note - App Transport Security Technote

Application Transport Security ?, Application Transport Security has blocked a cleartext HTTP (http://) resource load since it If you have an existing app, you should use HTTPS as much as you can right now, Because also iAd does not work anymore with Xcode 7 and I think the target that matters, but rather that you're compiling against the iOS 9 SDK. SSL, or Secure Sockets Layer protocol, helps protect information that is exchanged between a server and a client. If your browser says that your site is still insecure, there may have been a problem. See these common problems that could be affecting your site. For more information about what SSL is, see our Secure Server (SSL) Information article.

On Xcode 8.3.3 (8E3004b)

It has changed to

App Transport Security Settings > Allow Arbitrary Loads in Web Content > YES

App Transport Security | iOS, App Transport Security (ATS) is a privacy feature introduced in iOS 9. has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file. To ensure your ads are not impacted by ATS, do the following: Was this page helpful? Or use a free online crawler like SSL-check or Missing Padlock, a desktop crawler like HTTPSChecker, or a CLI tool like mcdetect to check your website recursively and find links to insecure content. If nothing is said about mixed content, your website is in good shape: Keep making excellent websites!

Below procedure enable me to open not secure content in WKWebView.

  1. First I added Allow Arbitrary Loads in Web Content = YES and Allow Arbitrary Loads = YES in App Transport Security Settings dictionary in info.plist.
  2. I have added below wkwebview delegate method:

    func webView(_ webView: WKWebView, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) { completionHandler(.useCredential, URLCredential(trust: challenge.protectionSpace.serverTrust!)) }

    For 2nd step don't forget to register delegate as:

    override func viewDidLoad() { super.viewDidLoad() self.webView.navigationDelegate = self }

What Is Mixed Content? | Web Fundamentals, Resource requests and web browsers; HTTPS benefits Details of HTTPS, TLS, and SSL are beyond the scope of this article, but if you Loading an insecure script from an HTTPS page. Insecure images degrade the security of your site, but they are not as dangerous as other types of mixed content. Mixed content occurs when a webpage containing a combination of both secure (HTTPS) and non-secure (HTTP) content is delivered over SSL to the browser. Non-secure content can theoretically be read or modified by attackers, even though the parent page is served over HTTPs. When visitors see warning messages, they can react one of two ways.

Explicit https will always serve the image securly (even when the page is not served securely) while relative linking will serve the image securely only if the page is served securely. In Firefox and chrome you can click on the padlock and get more information about the problem.

It can help you check for “not secure” warnings and content after big changes. It is available on Windows, Mac, and Ubuntu. The free plan allows you to check up to 100 pages. Step 3. The next step is confirming that those resources loading over HTTP are accessible over HTTPS. They most likely are, you just need to update the links.

While you might not be familiar with TLS (Transport Layer Security) it is the successor to SSL (Secure Socket Layer) and provides a collection of cryptographic protocols to enforce security over network connections. The TLS level is controlled by the web service that you are consuming and is therefore outside of the app's control.

Comments
  • If you add an HSTS header the browser will automatically upgrade all HTTP links to your domain to HTTPS (but ideally you should fix the links too).
  • Have there been any new updates on this anyone?? Is it possible now to do this maybe with WKWebView or a new iOS tool?
  • @illis69, not that I know of. The requirement not to load insecure resources from secure pages is a reasonable one, so it won't probably be be changed.
  • As a followup to the modified question: you can't turn off mixed content blocking. Allowing insecure CSS or JS reduces the security of the entire page to that of the least secure resource. The solution if you must load css/js over http is to load the entire page over http. That way the UI seen by the user correctly reflects the security of the content.
  • As the answer does not allow me to solve the issue of loading insecure content from an insecure page, this does explain that it is impossible. Marked as a correct answer.
  • So how it should work if inside of my page several links refer to and load some data from outside source that doesn't relate to added domain ?!
  • If you don't want t to use NTS, you can simply set NSAllowsArbitraryLoads to true in your Info.plist. Otherwise you will have to add all the domains you are linking to. Here's a good link which explains it in details neglectedpotential.com/2015/06/…
  • Adding the domain to the exclusion list (NSIncludesSubdomains) did not help. the view still does not load insecure resources for a secure page.
  • Bro, this is amazing, been looking for this for SO long, thank you. You Saved my day