Question: Are the instructions for production AppTransportSecurity complete? #1058
Description
Hi 👋
I was just preparing an app for production and read in the docs that it was necessary to enable ATS for iOS by removing localhost from the list of domain exceptions. (cf. https://facebook.github.io/react-native/docs/running-on-device#1-enable-app-transport-security)
However, upon closer inspection of the info.plist file, I see that there is this other key in the NSAppTransportSecurity dictionary by default: NSAllowsArbitraryLoads, which is set to true by default.
I just created a new project to see what's going on (npx expo init testProject), and selecting the bare-minimum option, this is the part concerning ATS in the freshly generated info.plist:
<key>NSAppTransportSecurity</key>
<!--See http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/ -->
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
<key>NSExceptionDomains</key>
<dict>
<key>localhost</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
I tried to run the project before bringing any changes: yarn ios and it worked fine, meaning the JS bundle was correctly loaded and the screen displayed "Welcome to React Native!" as expected.
I then removed the part concerning localhost being an exception, i.e. my info.plist then looked like:
<key>NSAppTransportSecurity</key>
<!--See http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/ -->
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
and the JS bundle still loads, and no warnings are issued; that makes me think that the key NSExceptionDomains is not necessary since NSAllowsArbitraryLoads being true allows everything to be loaded anyway.
I then tried removing only the NSAllowsArbitraryLoads key, so that my info.plist looked like:
<key>NSAppTransportSecurity</key>
<!--See http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/ -->
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>localhost</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
and the JS bundle still loaded correctly.
Finally, setting the ATS in info.plist to an empty dictionary (or removing it altogether), like so:
<key>NSAppTransportSecurity</key>
<!--See http://ste.vn/2015/06/10/configuring-app-transport-security-ios-9-osx-10-11/ -->
<dict></dict>
produced an error: "No bundle URL present", which was expected.
TL;DR: Shall I add an extra sentence in the docs for ATS in production or am I missing something? Only following the part about the removal of localhost from domain exceptions does not seem enough since NSAllowsArbitraryLoads defaulting to true disables ATS for any domain.
Thanks a lot!