Open Radar

 
Summary:
A sandboxed macOS app cannot seem to connect to localhost port 631, even with all required network entitlements. I use the interface defined in cups/cups.h, which is also used by the java printing system.  My java app, Moneydance, on the mac app store is seriously affected by this because the accumulated connection time-outs add up to nearly five minutes of delay before the print dialog appears.

Steps to Reproduce:
1. Create a sandboxed macOS app (see attachment) with ATS and all entitlements enabled to allow network connections, including client+server, and even arbitrary loads.
2. open a socket to "localhost" port 631 (the CUPS printer server) using the httpsConnect2 function from the CUPS printing interface
3. wait for whatever your timeout period is

Expected Results:
Expected to get an HTTP response from the CUPS server listening to that port.  Ideally we could then go on to print via the advertised CUPS print system.

Using "curl" from a shell to retrieve the same URL (http://localhost:631/) works fine.

Actual Results:
The connection times out or outright fails (if using NSURL) and an error is printed to the console: 
  nw_socket_connect connectx failed: [1] Operation not permitted
In the case of using NSURL the connection fails but does so immediately

Regression:
This worked in 10.12.3 and earlier.  10.12.4 and beta5 of 10.12.5 fail.

Notes:
I haven't found any workaround although it does seem that CUPs the connection will occasionally go through.  Perhaps it's just a firewall rule or reverse DNS configuration causing the delay?

See attached xcode project which *must* be run in sandboxed mode.  httpConnect2 from libcups times out reliably and NSURL to the same URL fails immediately.  I haven't found any variations on the httpConnect2 parameters that change the time-out behaviour.  HTTP_ENCRYPTION_NONE, etc don't seem to make a difference.