Thursday, October 6, 2016

Applets and App Transport Security

Shane Stanley:

The next day things got more complicated when Steve posted some more information: he had just tried the same exercise from Script Editor, and this time the applet worked fine. Was Script Editor really enabling NSAllowsArbitraryLoads in its applets? We repeated Steve’s tests and looked at the Info.plist files. Not only was Script Editor not enabling NSAllowsArbitraryLoads in the saved applet, but neither was Script Editor itself. To make things even more confusing, when a working applet created in Script Editor and then edited and saved in Script Debugger still worked.

[…]

And it turns out that having a Bundle ID beginning with com.apple seems to be giving applets a free pass through App Transport Security. Oooh…

The other interesting point to me is that it also works the other way. The apple.com domain is whitelisted, so you should never use it for testing your networking code.

Previously: App Transport Security.

Comments RSS · Twitter

Leave a Comment