Skip to content

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure #1022

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
plaudev opened this issue Sep 4, 2016 · 6 comments
Closed

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure #1022

plaudev opened this issue Sep 4, 2016 · 6 comments

Comments

@plaudev
Copy link

plaudev commented Sep 4, 2016

I'm writing a swift iOS app that uses Parse hosted on Heroku. As far as I know according to Parse docs, all data transport is over HTTPS and I do not have the App Transport Security workaround done to info.plist (and intend to keep it that way). Up until now all Parse queries have executed without errors both on the simulator and on actual iphone running 9.3.5.

That is until I added this code which crashes both on the simulator and on the iphone due to a cleartext request made over HTTP. But why would a request be made over HTTP?

override func tableView(tableView: UITableView, cellForRowAtIndexPath indexPath: NSIndexPath) -> UITableViewCell {

        let cell = tableView.dequeueReusableCellWithIdentifier(idInstagramFeedCell, forIndexPath: indexPath) as! InstagramFeedCell

        let imageFile = feed[indexPath.row].imageFile as PFFile
        imageFile.getDataInBackgroundWithBlock({ (data, error) in
            if let image = UIImage(data: data!) {
                cell.postImage.image = image
            } else {
                cell.postImage.image = UIImage(named: defaultImageFile)
            }
        })

        cell.postUsername.text = feed[indexPath.row].username
        cell.postCaption.text = feed[indexPath.row].caption
        return cell
    }

The offending line is isolated to imageFile.getDataInBackgroundWithBlock({ ... }) since if that is commented out, the app does not crash on the iphone.

The errors in console are:

2016-09-04 17:44:09.491 Instagram[1746:713422] App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
<PFFile: 0x15efc2910>
2016-09-04 17:44:09.497 Instagram[1746:713612] [Error]: The resource could not be loaded because the App Transport Security policy requires the use of a secure connection. (Code: 100, Version: 1.14.2)
2016-09-04 17:44:09.501 Instagram[1746:713612] [Error]: Network connection failed. Making attempt 1 after sleeping for 1.786664 seconds.
gVm5o09Fcx 2016-08-18 16:17:19 +0000 bunnie something green <PFFile: 0x16009d830>
Cr6ybvKF2016-09-04 17:44:09.502 Instagram[1746:713612] [Error]: The resource could not be loaded because the App Transport Security policy requires the use of a secure connection. (Code: 100, Version: 1.14.2)

To avoid the iOS app crashing, I have since amended the code above to the following but the same ATS errors appear in the console. Any assistance in the matter would be appreciated. Thank you.

override func tableView(tableView: UITableView, cellForRowAtIndexPath indexPath: NSIndexPath) -> UITableViewCell {

        let cell = tableView.dequeueReusableCellWithIdentifier(idInstagramFeedCell, forIndexPath: indexPath) as! InstagramFeedCell

       let imageFile = feed[indexPath.row].imageFile as PFFile
        print(imageFile)
        imageFile.getDataInBackgroundWithBlock({ (data, error) in
            if let data = data {
                if let image = UIImage(data: data) {
                    cell.postImage.image = image
                } else {
                    self.alertStatus("Instagram Feed", message: "Unable to display image!")
                }
            } else {
                self.alertStatus("Instagram Feed", message: "Unable to download image data!")
            }
        })

        cell.postUsername.text = feed[indexPath.row].username
        cell.postCaption.text = feed[indexPath.row].caption
        return cell
    }

(Cross-posted from http://stackoverflow.com/q/39029619/1827488)
@luizmb
Copy link

luizmb commented Nov 1, 2016
edited
Loading

I had the same problem, but thanks for this ticket [1] it's solved.

Just had to add publicServerURL to my parse-server settings:

var api = new ParseServer({
  databaseURI: databaseUri,
  cloud: cloudFolder,
  appId: appId,
  masterKey: masterKey,
  serverURL: serverUrl,
  publicServerURL: serverUrl,
  ...
});

[1] parse-community/parse-server#2743

@plaudev
Copy link
Author

plaudev commented Dec 10, 2016

@luizmb, sorry for late reply. I tried your solution on the day you posted but I could not get it to work. I will continue to try but in case you find anything else, I would appreciate you letting me know. Thanks

@plaudev
Copy link
Author

plaudev commented Dec 12, 2016

just an update as I continue to try figuring this out... seeing very odd results...

For the parse instance that previously I said the publicSeverURL solution did not work, I went to clean all the data out and restarted from scratch to post several different images to the database under different usernames... using an actual device (iOS 9.3.5). Surprisingly all that worked with ATS kept on.

However when I run exactly the same app on the simulator (iOS 9.3) signing in as exactly the same users with ATS kept on, I could not load a single image and got these same error msgs again for every image I try to download:

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
[Error]: An SSL error has occurred and a secure connection to the server cannot be made. (Code: 100, Version: 1.14.2)
[Error]: Network connection failed. Making attempt 4 after sleeping for 15.848020 seconds.

How could that be? Why would the same code in simulator try to load via http instead of https?

@luizmb
Copy link

luizmb commented Dec 13, 2016

Hi,

Please try to run 'curl' against the class that holds your file:

curl -X GET \
     -H "X-Parse-Application-Id: myAppName" \
     -H "X-Parse-Master-Key: myMasterKey" \
     -H "Content-Type: application/json" \
     https://mydomain.com/parse/classes/MyClassThatHoldsTheImage

The result must have "https" in the field:

{
    "...": "...",
    "url":"https://mydomain.com/parse/files/myAppName/b8c23d261blablabla.txt"
}

If you don't set "publicServerURL", the URL generated won't follow the "https" pattern and the iOS SDK will try to download it using plain "http", which is now forbidden by Apple with few exceptions.

Another suggestion: you can try to capture the communications of your device using Charles Proxy or TCPDUMP and check the URL used for fetching the image. But I would try the "curl" approach first, as most likely to be a server-side configuration problem.

@plaudev
Copy link
Author

plaudev commented Dec 14, 2016

@luizmb Thanks, Luiz. The curl did return urls with https in them. I have managed to get it to work on an actual device with publicServerURL set per your suggestion. On the simulator though I get that very odd error. I may just have to leave it like that for now. Thanks a lot for your Nov post!

NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)

@stale
Copy link

stale bot commented Sep 19, 2018

This issue has been automatically marked as stale because it has not had recent activity. If you believe it should stay open, please let us know! As always, we encourage contributions, check out the Contributing Guide

@stale stale bot added the wontfix label Sep 19, 2018
@stale stale bot closed this as completed Sep 26, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@luizmb @plaudev