Skip to content

Ban HTTP on iOS and Android platforms by default #54448

New issue
New issue
Closed
flutter/engine
#20733
Closed
Ban HTTP on iOS and Android platforms by default#54448
flutter/engine
#20733
Labels
P3Issues that are less important to the Flutter projectc: new featureNothing broken; request for a new capabilitydependency: dartDart team may need to help usdependency: dart:ioIssue in 'dart:io' libraryengineflutter/engine related. See also e: labels.
@mehmetf

Description

@mehmetf
mehmetf
opened on Apr 10, 2020

Starting API 28[1] and iOS 9[2], insecure connections are banned on native platform by default. Flutter, on the other hand, uses Dart VM's HTTP implementation which integrates with Sockets directly. This circumvents the security features on the platform and allows HTTP protocol.

We recently added capability to disallow HTTP on a per-platform basis to Dart SDK (dart-lang/sdk#40548). This issue tracks enabling that feature on iOS and Android platforms only. Desktop and Web platforms are unaffected.

1: https://developer.android.com/training/articles/security-config#CleartextTrafficPermitted
2: https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity

Metadata

Metadata

Assignees

No one assigned

    Labels

    P3Issues that are less important to the Flutter projectc: new featureNothing broken; request for a new capabilitydependency: dartDart team may need to help usdependency: dart:ioIssue in 'dart:io' libraryengineflutter/engine related. See also e: labels.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions