Multiple exceptions for iOS 9 App Transport Security

By | September 13, 2015

As you’ve surely heard by now, Apple is requiring secure network connections (https). This requirement will apply to all newly-submitted apps for iOS 9, as well as updates to existing apps submitted after the release of iOS 9. There are some great articles about why this is good and how you should be using it. What I wasn’t able to find was clear documentation of how to enter multiple exceptions. So, just for the record, this works:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>  
        <key>myinsecuresite.com</key>  
        <dict>  
            <key>NSExceptionAllowsInsecureHTTPLoads</key>  
            <true/>  
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>  
        <key>myotherinsecuresite.com</key>  
        <dict>  
            <key>NSExceptionAllowsInsecureHTTPLoads</key>  
            <true/>  
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>  
        <key>localhost</key>  
        <dict>  
            <key>NSExceptionAllowsInsecureHTTPLoads</key>  
            <true/>  
        </dict>  
        <key>127.0.0.1</key>  
        <dict>  
            <key>NSExceptionAllowsInsecureHTTPLoads</key>  
            <true/>  
        </dict>  
    </dict>  
</dict>

In the Apple forums, there was a note that at least in pre-GM versions of iOS 9, IP address exceptions were not working. I have not tested this. But supposedly they’re supported using the format shown above.