We have an app which shows HTML content in Webview. Currently the content served to Webview is from non secured domain. From iOS10, it supposed to serve from secured domain so before migrating want to clear some doubts.
I did a quick test and it appears that any referenced resources that are needed to be loaded by the
UIWebView to properly display the page must abide by the ATS rules, but also follow any exceptions you have specified in the
Info.plist for your project. If the I tried to follow a link to a non-https site in the
UIWebView, it gave me errors as well.
I think your best bet would be to use the
SFSafariViewController conditionally for iOS 9 users. You can continue to use the
UIWebView for the iOS 7 and iOS 8 devices, which do not strictly enforce ATS. This imposes fome extra code, but it should be minimal.
Also, just a clarification on Apple's changes around enforcement of App Transport Security. They announced that App Transport Security would be required for apps submitted after December 31, 2016. This means the impact is not so much based on the user's device OS, but rather the developers who are submitting. Also, Apple is still allowing exceptions to be added, as long as you have a justification. We do not yet know what types of justifications Apple will allow. Finally, Apple stated in their WWDC session that apps could still include an exception to the forward secrecy part of the ATS requirements without a separate justification. Until we get to 1/1/2017, though, we will not know for sure how this will work.