Ho-Kuo Chan (HPE) created CB-13469:
--------------------------------------
Summary: allow-navigation using * to include sub-domains translates to invalid
ATS NSExceptionDomains XCode9 (9A235) and iOS11
Key: CB-13469
URL: https://issues.apache.org/jira/browse/CB-13469
Project: Apache Cordova
Issue Type: Bug
Components: cordova-ios
Affects Versions: cordova-ios 4.5.0, cordova-ios@4.4.0
Environment: XCode 9 (9A235)
iOS11
AFNetworking 3.1.0
cordova-advanced-http 1.5.10
Reporter: Ho-Kuo Chan (HPE)
Assignee: Suraj Pindoria
Previously in XCode 8 and iOS <= 10, SSL Pinning was functioning correctly using the <allow-navigation>
key in config.xml and cordova-advanced-http. Upon upgrading to XCode 9 and testing on iOS11,
it was discovered that our app could no longer connect to the web server presenting a signed
certificate even though the signing certificate was bundled in the app. Disabling ATS allowed
the connection to proceed.
Through communication with Apple Technical Support, it was determined that when the <allow-navigation>
key contains a trailing "/*" (meaning any path in android), the corresponding NSExceptionDomain
becomes invalid in iOS11 and XCode 9. For example, if config.xml contains:
<allow-navigation href="https://*.mydomain.com/*>
this gets translated into a Info.plist with:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>mydomain.com/*</key>
but should be:
<key>mydomain.com</key>
>From Apple Tech Support:
The `mydomain.com/*` string is wrong. It should be `mydomain.com`. Keys for the `NSExceptionDomains`
dictionary are DNS names, and only DNS names. You can’t include URL path fragments. Even
literal IP addresses are unsupported in this context.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org
|