iOS 9 ... Are WebView(s) exempt from the App Transport Security Exceptions (ATS) rules that block insecure HTTP hosts?
I have inserted the following in my apps .plist per the Apple Guidance:
<key>NSAppTransportSecurity</key><dict> <!--Include to allow all connections - with and without SSL (DANGEROUS)--> <key>NSAllowsArbitraryLoads</key> <true/></dict>
and when I try to load my webView (from an HTTPS server no less), I get the following error and it doesn't load.
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9813)
So I it looks like not only are they not exempt, they don't work even if you make the correct addition to the .plist.
This question was originally about iOS 9; however, according to Apple's documentation:
Starting in iOS 10.0 and later, the following subkeys are supported:
Use NSAllowsArbitraryLoadsInWebContent so that you do not need to white list each page a WebView may load.