How to test the the ATS setting

Mark or Shane,

Do you have a suggestion as how to test the the ATS setting for allowing arbitrary loads for App Transport Security. I am not totally sure what exactly this check box enables and disables. “App Transport Security” is a safty feature that appears to be able to turn on and off “App Transport Security” depending on the ATS setting. I am assuming this has to be tested with ASObj-C code.


This setting effects your script’s ability to load arbitrary URLs. This only controls URLs accessed by your script’s process. URLs accessed by another process (say Safari) at your script’s command are not effected.

Examples of URLs accessed directly by your process include:

  • URLs downloaded using ASObjC
  • URLs accessed by Sparkle (when using the Enhanced Applet shell)

Here’s a simple example. This script downloads the BBC news page and displays the first 200 characters of the HTML:

use AppleScript version "2.4" -- Yosemite (10.10) or later
use framework "Foundation"
use scripting additions

set theURL to current application's |NSURL|'s URLWithString:""
set theData to current application's NSData's dataWithContentsOfURL:theURL
set theHTML to current application's NSString's alloc()'s initWithData:theData encoding:(current application's NSUTF8StringEncoding)
display dialog text 1 thru 200 of (theHTML as text)

It works fine in Script Debugger, because it’s set to allow arbitrary loading. But if you save it as an applet and run it, you’ll see:

Can’t get text 1 thru 200 of "". (-1728)

That’s because ATS won’t allow a http:// connection, so theData is empty. But if you click the Allow arbitrary loads checkbox and save, when you run the applet again you will see the HTML.

Mark and Shane,

To see if I understand this correctly, Apple’s ATS feature blocks what it considers insecure connections. When the “Allow arbitrary loads” check box in the enhanced applet is checked every connection is considered secure. To actually accomplish this when the box is checked an “App Transport Security Settings” resource called “Allow Arbitrary Loads” is added to the applet plist and the “Allow Arbitrary Loads” is set to true. After that all sites can be accessed. When the box is uncheck the resource disappears from the plist.

Figuring out what sites to use can be tricky because some sites are on Apple’s preapproved list and I don’t know how to get that list, and Apple’s ATS itself uses a lot of it’s own rules to determine if a site can be accessed.

As I see it from a testing standpoint I don’t worry about testing on a lot of different sites. I just verify when the box is checked no site is denied for being insecure.

There are a lot of insanely complicated rules ATS uses to determine if a site is secure. It’s pretty complicated stuff. So it is not simple to pick which sites to test on. I just keep trying sites until one comes up as insecure without the check box on, and does “not” come up insecure when the check box is checked. So I am assuming the testing is only testing how the enhanced applet handles sites that are determined secure or insecure (it makes sense to test both types). For me has worked well for testing. But I am trying different ways to accomplish the same goal to give SD a tougher work out.

Shan’s script is more simple then my test script. I will try his script as well.


Not just enhanced apps — it applies to standard Apple applets, too.

Really, the behavior doesn’t need testing — that’s all down to Apple and beyond anyone else’s control. The only thing that needs testing is that the correct entry is added when the button is checked, and removed when it’s not.

Are saying the only things that needs testing is the actual check box itself?


More or less, yes. We really only need to know if you see something like it doesn’t stick when it should.

Thanks Shane :slight_smile: