cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ho-Kuo Chan (HPE) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CB-13469) allow-navigation using * to include sub-domains translates to invalid ATS NSExceptionDomains XCode9 (9A235) and iOS11
Date Thu, 19 Oct 2017 18:40:04 GMT
Ho-Kuo Chan (HPE) created CB-13469:
--------------------------------------

             Summary: allow-navigation using * to include sub-domains translates to invalid
ATS NSExceptionDomains XCode9 (9A235) and iOS11
                 Key: CB-13469
                 URL: https://issues.apache.org/jira/browse/CB-13469
             Project: Apache Cordova
          Issue Type: Bug
          Components: cordova-ios
    Affects Versions: cordova-ios 4.5.0, cordova-ios@4.4.0
         Environment: XCode 9 (9A235)
iOS11
AFNetworking 3.1.0
cordova-advanced-http 1.5.10
            Reporter: Ho-Kuo Chan (HPE)
            Assignee: Suraj Pindoria


Previously in XCode 8 and iOS <= 10, SSL Pinning was functioning correctly using the <allow-navigation>
key in config.xml and cordova-advanced-http. Upon upgrading to XCode 9 and testing on iOS11,
it was discovered that our app could no longer connect to the web server presenting a signed
certificate even though the signing certificate was bundled in the app. Disabling ATS allowed
the connection to proceed.

Through communication with Apple Technical Support, it was determined that when the <allow-navigation>
key contains a trailing "/*" (meaning any path in android), the corresponding NSExceptionDomain
becomes invalid in iOS11 and XCode 9. For example, if config.xml contains:
<allow-navigation href="https://*.mydomain.com/*>

this gets translated into a Info.plist with:
    <key>NSAppTransportSecurity</key>
    <dict>
      <key>NSExceptionDomains</key>
      <dict>
        <key>mydomain.com/*</key>

but should be:
        <key>mydomain.com</key>

>From Apple Tech Support:
The `mydomain.com/*` string is wrong.  It should be `mydomain.com`.  Keys for the `NSExceptionDomains`
dictionary are DNS names, and only DNS names.  You can’t include URL path fragments.  Even
literal IP addresses are unsupported in this context.





--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message