Open Radar

 
Summary:
According to today's WWDC session 705, all apps must use App Transport Security by the end of this year. Included in this announcement is the fact that the `NSAllowsArbitraryLoads` exception will no longer be allowed (except on a rare case-by-case basis by App Store Review).

While this is good news overall for privacy and security, this means there will be no way for apps to display rich, inline media from sites out of their control. Apps like Twitter clients, podcast players, RSS readers, and many other social media apps, present inline images, video, and audio files that are crowd-sourced from around the web. Much (most?) of this media is still hosted without the latest stringent security technologies.

Although there is a new exception for WKWebView, apps like those listed above can't use a web view to display rich media since the users expect it to be presented inline with the other native content. The only recourse for these apps would be to either abandon rich inline content, or else maintain costly proxy servers or redundant caches that serve the media over the minimum security requirements.

Steps to Reproduce:
N/A

Expected Results:
There should be a compile-time exception mechanism that would allow media downloads from insecure URLs. Perhaps a plist key with a name like NSAllowsArbitraryMediaDownloads which would allow arbitrary requests, but only for GET requests handled by NSURLDownloadSessionTasks.

Actual Results:
By the end of this year, apps that present inline media content from around the web will be forced to either remove existing features, pay for expensive hosting/proxying, or take a gamble on App Store review in order to continue to provide the rich experience that users have come to expect.