search

lionheart / openradar-mirror

A mirror of radars pulled from http://openradar.me/.
246 stars 17 forks source link

30299463: App Transport Security blocks requests to http hosted PAC file with NSURLConnection #16824

Open openradar-mirror opened 7 years ago

openradar-mirror commented 7 years ago

Description

Summary: We utilise a proxy PAC file that is distributed to clients via DHCP option 252 Clients are configured for Auto Proxy Discovery.

When using NSURLConnection to retrieve a resource on a HTTPS site, NSURLConnection first must retrieve the proxy pac file. Presumably because this proxy PAC file is a HTTP resource, App Transport Security jumps in and blocks the request with the following error:

"App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file."

Steps to Reproduce:

  1. Install macOS 10.12.x
  2. Configure Auto Proxy Discovery.
  3. Confirm that the mac is receiving a PAC file URL and that URL is http with:

    ipconfig getpacket en0

Example output would look like: proxy_auto_discovery_url (string): http://pac.det.nsw.edu.au/det/itbproxy.pac

  1. Run attached python script calling NSURLConnection from Foundation to load a particular text file on a HTTPS server
  2. Note the error output from the script.

Expected Results: The script should execute and the https resource requested by NSURLConnection should load and be output to stdout

Actual Results: The script fails with the error message from App Transport Security: "App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file."

Regression: This issue does not occur under 10.11

Notes: As mentioned by the error message from ATS adding the following to the info plist in the python script does allow the script to execute correctly

info = bundle.localizedInfoDictionary() or bundle.infoDictionary() info[u"NSAppTransportSecurity"] = {u"NSAllowsArbitraryLoads": True}

However, this feels like a dirty hack and not something that I want to enable in my Applications.

- Product Version: 10.12.3 16D32 Created: 2017-02-01T01:12:56.606790 Originated: 2017-02-01T12:12:00 Open Radar Link: http://www.openradar.me/30299463

openradar-mirror commented 7 years ago

Modified: 2017-04-19T02:04:07.333480

openradar-mirror commented 7 years ago

Modified: 2017-04-19T02:04:07.333480

openradar-mirror commented 7 years ago

Modified: 2017-04-19T02:04:07.333480

openradar-mirror commented 7 years ago

Modified: 2017-04-19T02:04:07.333480

openradar-mirror commented 7 years ago

Modified: 2017-04-19T02:04:07.333480

openradar-mirror commented 7 years ago

Modified: 2017-04-19T02:04:07.333480

openradar-mirror commented 7 years ago

Modified: 2017-04-19T02:04:07.333480

openradar-mirror commented 7 years ago

Modified: 2017-04-19T02:04:07.333480

openradar-mirror commented 7 years ago

Modified: 2017-04-19T02:04:07.333480