We are developing an app with Cordova that syncs information with an ODATA Web-Service made available by a Microsoft Dynamics NAV 2013 Middle tier. Under Android there is no problem with the connection and under iOS 8 and 9 it works as well. On Devices using iOS 10 the connection does not work and returns a HTTP 400 Bad Request error. The connection has the following structure (this is test code, works on Android and iOS 8 and 9, but not on iOS 10)
var xreq = new XMLHttpRequest();
xreq.open('GET', "http://domain:port/MIDDLETIER/OData/MobileSetupMWP?$format=json",true,username,password);
xreq.onreadystatechange = function () {
if (xreq.readyState == 4) {
if (xreq.status == 200) {
alert("success");
} else {
alert("failure");
}
}
}
try {
xreq.send();
} catch (e) {
}
The Web-Service uses Digest as authentication and is available as a http and a https Web-Service. Both the http and https work with Android and iOS 8 and 9. Connecting to a http ODATA Web Service without authentication (http://services.odata.org/V3/OData/OData.svc/) works on iOS 10 so the problem seems to be related to the authentication.
We have already included the following part in a plugin:
<platform name="ios">
<config-file target="*-Info.plist" parent="NSPhotoLibraryUsageDescription">
<string>Für Bildvorschau wird die geräteeigene Fotogalerie verwendet</string>
</config-file>
<config-file target="*-Info.plist" parent="ITSAppUsesNonExemptEncryption">
<false/>
</config-file>
<config-file target="*-Info.plist" parent="NSAppTransportSecurity">
<dict><key>NSAllowsArbitraryLoads</key><true /></dict>
</config-file>
</platform>
This is the Content Security Policy we are using
<meta http-equiv="Content-Security-Policy" content="default-src * blob: data: ws: wss: gap://ready ; style-src 'self' 'unsafe-inline' 'unsafe-eval' * ;
script-src 'self' 'unsafe-inline' 'unsafe-eval' * ; connect-src * 'self' 'unsafe-inline' 'unsafe-eval' data: blob: ws: wss: ; img-src * data: blob:">
Any ideas what the problem could be or what we could test?