22060893: App Transport Security should not block http requests to localhost

[openradar-mirror]

Description

Summary:
ATS makes perfect sense and I commend Apple on taking a strong stance in favor of security, but blocking localhost requests does not make sense and only makes developer life needlessly complicated. Setting up multiple (or even just one!) SSL endpoints on a single machine development environment is a huge hassle and serves no security benefit. Please opt the localhost out of ATS blocking by default!

NOTE: Yes, it is possible to opt our by adding keys to the Info.plist file, but again, this is unnecessary hassle.

Steps to Reproduce:
Create an app and have it contact a localhost URL. Launch app in XTractor and observe a message along these lines in the log:

App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

Expected Results:
HTTP calls to localhost should not be blocked.

Actual Results:
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.

Version:
iOS9 in Xcode 7 beta 4

Notes:
Reproducible 100% of the time.

Configuration:
Macbook Air

Product Version: 9
Created: 2015-07-29 22:34:16.458210
Originated: 2015-07-29T00:00:00
Open Radar Link: http://www.openradar.me/22060893