iOS 9 App Transport Security 設定
最近因為OS X更新到了10.11,也將Xcode隨著更新到了第7版
剛好要改一個舊的Project,在連線功能卻出現了這個問題:
0 1 2 3 |
The resource could not be loaded because the App Transport Security policy requires the use of a secure connection |
查了一下Document才知道 Apple在 WWDC 2015改變了一些東西:“What’s New in iOS 9”
App Transport Security
App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.
If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn’t follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app’s Info.plist
file
簡單來說就是Apple因為安全性建議大家使用Https取代Http,未來版本不確定是否會強制規定使用Https,但目前可以以修改info.plist的方式來恢復舊有的方法。
當然可以使用ATS當然是最好的,也是更安全的方式!
而解決方法則是,在專案的info.plist加入以下的值:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
<key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>你的域名或主機</key> <dict> <!--Include to allow subdomains--> <key>NSIncludesSubdomains</key> <true/> <!--Include to allow HTTP requests--> <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key> <true/> <!--Include to specify minimum TLS version--> <key>NSTemporaryExceptionMinimumTLSVersion</key> <string>TLSv1.1</string> </dict> </dict> </dict> |
當然也會出現你沒辦法決定對哪些網址你要開放的狀況..
那就如下面這樣全部開放:
0 1 2 3 4 5 6 7 |
<key>NSAppTransportSecurity</key> <dict> <!--Include to allow all connections (DANGER)--> <key>NSAllowsArbitraryLoads</key> <true/> </dict> |
大致上這樣就可以正常使用了~
當然比較安全也根本的方法是改變成 Https…