Ajax problem [IOS 9] App Transport Security policy problem

[Zoltan Birner]

Hi All,

I want to share my problem, and solution  about ajax request. 

When I  tried to connect to server I always got   "Failed to load resource: The resource could not be loaded because the App Transport Security policy requires the use of a secure connection." error message 

Apple had added Transport Security feature that improves the security of connections between an app and web services. This feature consists of default connection that conform to best practices for secure connections. 

Solution: 

Here is my  quick workaround.. You should add the following to your Info.plist (YOUR_PROJECT/Resources/YOUR_PROJECT-Info.plist) will disable ATS

 

1. <key>NSAppTransportSecurity</key>  
2.      <dict>  
3.           <key>NSAllowsArbitraryLoads</key><true/>  
4.      </dict>  

Have fun :) 

Zoltan

[Kerri Shotts]

I don't really like the idea of disabling ATS unless you absolutely have to. If your server isn't already on HTTPS, then that should be the fix rather than disabling ATS. If that is out of your control, then add an explicit exception for the resource. http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/ is a good article on all this.

[jcesarmobile]

Kerri, bad news is you have to disable it if you want to use inAppBrowser to load 3rd party websites, and if you only have a server for get requests, why should it be https?

[Zoltan Birner]

Hi Kerri,

I totally agree with you, but   we are developing simple server/client solution, and we dont know if  our customer will use  HTTPS or not on their server.

[Steve Sobol - Lobos Studios]

I'd argue that it is ridiculously inexpensive and easy these days... you can get real certificates with 98-99% browser acceptance for literally almost nothing... so they SHOULD use HTTPS. I get my domain-validation-only certs for such a low price that I don't even charge my clients for them :)

Zoltan Birner wrote:

--
-- You received this message because you are subscribed to the Google
Groups "phonegap" group.
To post to this group, send email to phon...@googlegroups.com
To unsubscribe from this group, send email to
phonegap+u...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/phonegap?hl=en?hl=en
 
For more info on PhoneGap or to download the code go to www.phonegap.com
---
You received this message because you are subscribed to the Google Groups "phonegap" group.
To unsubscribe from this group and stop receiving emails from it, send an email to phonegap+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Lobos Studios - Website and Mobile App Design & Development; IT Support; Computer Maintenance
Toll Free  877.919.4WEB - Apple Valley 760.684.8859 - Los Angeles 310.945.2410 - Cleveland 216.242.4010
www.LobosStudios.com * www.facebook.com/LobosStudios * @LobosStudios

[Michael Jones]

Not the cheapest one but not really expensive either ($15) I just tried out SSLmate and have to tell you I am really impressed. You can purchase and set up all easily from your server and you can set up auto renewal on your server so that you do not have to worry about updating your SSL down the road when the certificate needs to be updated, it will auto download to your server!

Also I ran into some bumps along the way and their customer server was extremely responsive and really helpful. Totally work the $15 price tag, and I recommend them to anyone. Especially if your new with this stuff. 

-Mike

[Sarah]

Hi Zoltan,

I've tried adding that manually to my info-plist file and also by creating a Cordova plugin but it still does't work. When I make a call to my ajax, I get an error.

Any advice on how I can get this to work?

The plugin.xml file I created contains this:

<?xml version="1.0" encoding="UTF-8"?>
<plugin xmlns="http://www.phonegap.com/ns/plugins/1.0"
           id="com.sample.iosconfig"
      version="1.0">
    <name>sample</name>
    <description>sample</description>
    <license>Sample</license>
    <keywords>phonegap</keywords>
    


    <platform name="ios">
    <config-file target="*-Info.plist" parent="NSAppTransportSecurity">
            <dict>
                <key>NSExceptionDomains</key>
                <dict>
                    <key>sample.com</key>
                    <dict>
                        <key>NSIncludesSubdomains</key>
                        <true/>
                        <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
                        <true/>
                    </dict>
                </dict>
            </dict>
    </config-file>
    </platform>

</plugin>



Thanks!

[Steve Sobol - Lobos Studios]

This is the third copy I've received of this exact email, Sarah. I'm not sure whether the problem is on your end or with Google, but I'm not receiving dupes of any other messages... FYI

Sarah wrote:

--
-- You received this message because you are subscribed to the Google
Groups "phonegap" group.
To post to this group, send email to phon...@googlegroups.com
To unsubscribe from this group, send email to
phonegap+u...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/phonegap?hl=en?hl=en
 
For more info on PhoneGap or to download the code go to www.phonegap.com
---
You received this message because you are subscribed to the Google Groups "phonegap" group.
To unsubscribe from this group and stop receiving emails from it, send an email to phonegap+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sarah]

I'm so sorry Steve! I had made mistakes with the previous posts and finally got it right on the last try. I had no idea it would send duplicate emails but rest assured, I won't make this mistake again.

Again, I apologize!

Please can you help me out with this issue? I am really stick and have no idea why it is not working. I've been on this for days. This is an example of the ajax command I am trying to run:

        $.ajax({
               url: "http://sample.com/file.php",
               type: 'POST',
               data: {},
               beforeSend: function () {},
               success: function (data) {
                   console.log('== SUCCESS ==');
               },
               error: function() {
                   console.log('== ERROR ==');
               }
        });

... but the error message keeps printing out. Please, any idea why this is happening?

[Steve Sobol - Lobos Studios]

The first thing I'd recommend is checking your browser's debugging tools and, if you're on Windows, installing and using Fiddler (which is an AWESEOME tool).

The second thing I'd recommend is making sure you have the whitelist plugin installed and properly configured, making sure the server at Sample.com has CORS set up properly and making sure your app is using CORS.

[Steve Sobol - Lobos Studios]

And note Zoltan's comments about ATS because they are relevant. The best thing to do is to use HTTPS if at all possible, but if it's not possible to use HTTPS, he provided a workaround.

[Sarah]

Thanks for the suggestions Steve.

I am doing this on a MAC computer. I also have the cordova whitelist plugin installed and configured on my config.xml file as follows:

    <plugin name="cordova-plugin-whitelist" version="1" />
    <access origin="*" />
    <allow-intent href="http://*/*" />
    <allow-intent href="https://*/*" />
    <allow-intent href="tel:*" />
    <allow-intent href="sms:*" />
    <allow-intent href="mailto:*" />
    <allow-intent href="geo:*" />
    <platform name="android">
        <allow-intent href="market:*" />
    </platform>
    <platform name="ios">
        <allow-intent href="itms:*" />
        <allow-intent href="itms-apps:*" />
    </platform>

This came default in the project when I created it using the cordova command. Is there something else I should have included?

I am not if my server has CORS setup but I'll definitely find out.

The app I'm creating pulls in posts from our site and our editors usually link to other sites on these posts - some of which are secured and some of which aren't. So, I can't specify just one URL as an exception, hence I am trying to disable it completely.

I just tried this and it didn't work either:

<?xml version="1.0" encoding="UTF-8"?>
<plugin xmlns="http://www.phonegap.com/ns/plugins/1.0"
           id="com.sample.iosconfig"
      version="1.0">
    <name>sample</name>
    <description>sample</description>
    <license>Sample</license>
    <keywords>phonegap</keywords>
   
    <platform name="ios">
    <config-file target="*-Info.plist" parent="NSAppTransportSecurity">
        <dict>

            <key>NSAllowsArbitraryLoads</key>
            <true/>
        </dict>    
    </config-file>
    </platform>

</plugin>

Please, any other idea why this may not be working for me?

Thanks,

[Steve Sobol - Lobos Studios]

The web server must send the proper header to allow cross-domain requests and there are a couple things you need to put into your markup in the app, too. Google "phonegap CORS" or "cordova CORS"

Sarah wrote:

--
-- You received this message because you are subscribed to the Google
Groups "phonegap" group.
To post to this group, send email to phon...@googlegroups.com
To unsubscribe from this group, send email to
phonegap+u...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/phonegap?hl=en?hl=en
 
For more info on PhoneGap or to download the code go to www.phonegap.com
---
You received this message because you are subscribed to the Google Groups "phonegap" group.
To unsubscribe from this group and stop receiving emails from it, send an email to phonegap+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[jcesarmobile]

I've always read that you don't have to set CORS on the server for cordova apps, it should work without it

[Kerri Shotts]

Sarah,

I may have missed it in the thread, but have you tried putting those values DIRECTLY in the plist file (not indirectly via config.xml or the like)? I don't know that it will make any difference, but it is worth a try.

[Sarah]

@Steve and @jcesarmobile, thank you both for your input. Prior to the iOS 9.0 update, I have been connecting to my server fine and successfully tested the app on my iPhone. So my first guess is that Cordova should be working fine with my server, since it worked before. What do you think?

@Kerri thanks a lot for the suggestion! I actually tried that as well. I opened up the plist file in xcode and manually added it in. But it didn't work either. Which is the reason why I am completely stuck. I figured if it worked for someone else, then it should work for me as well. This makes me think that maybe I am doing something else wrong?

Any other suggestions please?

Thank you all,
Sarah

[Kerri Shotts]

Well, the only other thing I know to try is to start printing more information about the error in your error handler. The handler should receive several parameters, all of which should contain useful information as to what error is actually occurring. Check the jQuery docs for more specifics (http://api.jquery.com/jquery.ajax/)

Also, are you able to debug the app remotely using Safari? If so, watch the console for any errors that Safari might be throwing. These can also be very useful in determining what the issue is.

[jcesarmobile]

If it works on iOS 8 and not iOS 9, then it's the ATS, are you sure it's added correctly?

Unless... are you using the WKWebView? the WKWebView on iOS 9 is affected by CORS

[Sarah]

Thanks for your suggestions @jcesarmobile. I'm not familiar with WKWebView so I googled. Are you referring to the WKWebView Cordova Plugin?

If so, then no - I am not using the WKWebView. In that case, you are probably right. Maybe I am not disabling it correctly. Could you please walk me through how to disable it properly?


Thank you,
Sarah

[Sarah]

Hi all,

Thanks so much for your help. After several days of digging around, I finally figured out my problem. I found my solution from this post:

http://stackoverflow.com/a/31714491

.. it was as simple as switching out the line of code mentioned on the post above.

Again thanks all!! Figured I should share my solution in case anyone ever comes across this issue.

[Rob Willett]

Doesn't that CSP tag let anything in whatsoever and provides virtually no security or have I read that wrong?

Rob