0
votes

We are developing an app with Cordova that syncs information with an ODATA Web-Service made available by a Microsoft Dynamics NAV 2013 Middle tier. Under Android there is no problem with the connection and under iOS 8 and 9 it works as well. On Devices using iOS 10 the connection does not work and returns a HTTP 400 Bad Request error. The connection has the following structure (this is test code, works on Android and iOS 8 and 9, but not on iOS 10)

var xreq = new XMLHttpRequest();
xreq.open('GET', "http://domain:port/MIDDLETIER/OData/MobileSetupMWP?$format=json",true,username,password);
xreq.onreadystatechange = function () {
  if (xreq.readyState == 4) {
      if (xreq.status == 200) {
        alert("success");
      } else {
        alert("failure");
      }
  }
}
try {
  xreq.send();
} catch (e) {
  }

The Web-Service uses Digest as authentication and is available as a http and a https Web-Service. Both the http and https work with Android and iOS 8 and 9. Connecting to a http ODATA Web Service without authentication (http://services.odata.org/V3/OData/OData.svc/) works on iOS 10 so the problem seems to be related to the authentication.

We have already included the following part in a plugin:

<platform name="ios">
        <config-file target="*-Info.plist" parent="NSPhotoLibraryUsageDescription">
            <string>Für Bildvorschau wird die geräteeigene Fotogalerie verwendet</string>
        </config-file>
        <config-file target="*-Info.plist" parent="ITSAppUsesNonExemptEncryption">
            <false/>
        </config-file>
        <config-file target="*-Info.plist" parent="NSAppTransportSecurity">
            <dict><key>NSAllowsArbitraryLoads</key><true /></dict>
        </config-file>
    </platform>

This is the Content Security Policy we are using

<meta http-equiv="Content-Security-Policy" content="default-src * blob: data: ws: wss: gap://ready ; style-src 'self' 'unsafe-inline' 'unsafe-eval' * ;
    script-src 'self' 'unsafe-inline' 'unsafe-eval' * ; connect-src * 'self' 'unsafe-inline' 'unsafe-eval' data: blob: ws: wss: ; img-src * data: blob:">

Any ideas what the problem could be or what we could test?

2

2 Answers

0
votes

The problem seems to be a general one with iOS 10s handling of Digest Authentication, basically the same problem as described here: HTTP digest authentication fail due to wrong nonce-count in iOS 10

We opened a Bug with Apple.

0
votes

The problem was solved by Apple with the 10.2 Beta version. Connection with DIGEST Web Services is possible again.