Login/Register
How can I figure out which URL is being blocked by App Transport Security?
Asked Answered
Solved iosios9cfnetworkapp-transport-security
C

2

39

I'm upgrading an iOS app to iOS 9, and I have some URLs that are not secure, and I need a few exceptions to App Transport Security. I've added the two that I know about, but there are some warnings happening now stating:

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

I need to know what URLs are being blocked so I can add them to the Info.plist, they're probably images or media files. How can I make the system log the URLs it decided not to load?

Cass answered 2/7, 2015 at 19:57 Comment(0)
C
68

Editor Note: @jessedc points out in the comments below the link to the official Apple documentation on how to do this: https://developer.apple.com/library/content/qa/qa1887/_index.html

Okay, I have an answer I don't like! I still very much want a better one.

In my application:didFinishLaunchingWithOptions: method I added the line

setenv("CFNETWORK_DIAGNOSTICS", "3", 1);

When I ran the app then, in the log I can find an entry that looks like this:

2015-07-02 15:27:56.152 MyApp[45041:9125662] CFNetwork diagnostics log file
created at: /Users/micah.hainline/Library/Developer/CoreSimulator/Devices/
11BCA581-5F5F-494D-932A-2ECFCA33EA93/data/Containers/Data/Application/
9ACC6941-8039-4B86-B5E8-A6C66E2AD520/Library/Logs/CrashReporter/CFNetwork_com
.myapp.MyApp_45041.nwlrb.log

When I open that file I have a huge number of log entries about everything that's happened on the network. I search for kCFErrorDomainCFNetwork in that file and get logs for failed network requests. I can use that to see what URLs the system was trying to hit, and then can add that URL to the exceptions for App Transport Security.

Cass answered 2/7, 2015 at 20:36 Comment(8)
Don't you get error callbacks when your URL connection or data task finishes with an error? If so, IIRC, there's info in the NSError object that tells you why it was rejected, including whether it failed because of HSTS.Knickknack
This answer is actually the documented way to do this: developer.apple.com/library/mac/qa/qa1887/_index.html I suggest adding the source to the answerArlenaarlene
It's generally preferred to set environment variables through the Scheme. developer.apple.com/library/mac/recipes/…Hiragana
when I tried this, the filepath it spit out at me didn't exist. It says it output to /private/var/mobile/...long path name... but the mobile directory didn't actually existApprobate
@Approbate it's because you're debugging on your mobile device. In this case logs are also located on your device. Just extract your app container via Xcode and get your logs from /AppData/Library/Logs/CrashReporter folder. It's described in detail at the end of "CFNetwork Diagnostic Logging Q&A".Gurevich
You don't even need to extract it from your device. If you open Xcode->Devices and select your device, the rolling console output will contain the CFNetwork messages that it writes to the file.Planimetry
Can I only use this on simulator?Baggywrinkle
Currently you can Edit Scheme and under Arguments you can add CFNETWORK_DIAGNOSTICS and 3 to environment variables. Doing that dumps out the extended logs into the main Xcode console which is pretty convenient.Vallonia
S
3

Accepted answer is correct but If you're doing this on Xamarin iOS, you will need to use;

Environment.SetEnvironmentVariable("CFNETWORK_DIAGNOSTICS", "3", EnvironmentVariableTarget.Process);

Also, if you're looking for the log file use something like Simulator manager to find the correct location easier (https://github.com/tue-savvy/SimulatorManager).

Son answered 1/3, 2017 at 12:43 Comment(1)
PaulB is it for simulator only?Pitching

© 2022 - 2024 — McMap. All rights reserved.