Insecure HTTP connections are disabled by default on iOS and Android
Summary
#If your code tries to open an HTTP connection to a host
on iOS or Android, a StateException
is now thrown with
the following message:
Insecure HTTP is not allowed by platform: <host>
Use HTTPS instead.
Context
#Starting with Android API 28 and iOS 9, these platforms disable insecure HTTP connections by default.
With this change Flutter also disables insecure connections on mobile platforms. Other platforms (desktop, web, etc) are not affected.
You can override this behavior by following the platform-specific guidelines to define a domain-specific network policy. See the migration guide below for details.
Much like the platforms, the application can still open insecure socket connections. Flutter does not enforce any policy at socket level; you would be responsible for securing the connection.
Migration guide
#On iOS, you can add NSExceptionDomains to your application's Info.plist.
On Android, you can add a network security config XML.
For Flutter to find your XML file, you need to also add a
metadata
entry to the <application>
tag in your manifest.
This metadata entry should carry the name:
io.flutter.network-policy
and should contain the
resource identifier of the XML.
For instance, if you put your XML configuration under
res/xml/network_security_config.xml
,
your manifest would contain the following:
<application ...>
...
<meta-data android:name="io.flutter.network-policy"
android:resource="@xml/network_security_config"/>
</application>
Allowing cleartext connection for debug builds
#If you would like to allow HTTP connections for Android debug builds, you can add the following snippet to your $project_path\android\app\src\debug\AndroidManifest.xml:
<application android:usesCleartextTraffic="true"/>
For iOS, you can follow these instructions to create a Info-debug.plist
and put this in:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
We do not recommend you do this for your release builds.
Additional Information
#- Build time configuration is the only way to change network policy. It cannot be modified at runtime.
- Localhost connections are always allowed.
- You can allow insecure connections only to domains. Specific IP addresses are not accepted as input. This is in line with what platforms support. If you would like to allow IP addresses, the only option is to allow cleartext connections in your app.
Timeline
#Landed in version: 1.23
In stable release: 2.0.0
Reverted in version: 2.2.0 (proposed)
References
#API documentation: There's no API for this change since the modification to network policy is done through the platform specific configuration as detailed above.
Relevant PRs:
- PR 20218: Plumbing for setting domain network policy
- Introduce per-domain policy for strict secure connections
除非另有说明,本文档之所提及适用于 Flutter 的最新稳定版本,本页面最后更新时间: 2024-10-09。 查看文档源码 或者 为本页面内容提出建议。