What is the difference between NSExceptionAllowsInsecureHTTPLoads and NSThirdPartyExceptionAllowsInsecureHTTPLoads?

Question

In iOS 9, I can add keys to my info.plist to disable App Transport Security. There are two keys, NSExceptionAllowsInsecureHTTPLoads and NSThirdPartyExceptionAllowsInsecureHTTPLoads, which are defined as:

An optional Boolean value that, when set to YES, allows insecure HTTP loads. Use this key to describe your app’s intended network behavior for a domain whose security attributes you have control over.

and

A version of the NSExceptionAllowsInsecureHTTPLoads key to be used to configure connections to a domain whose security attributes you don’t control.

What security attributes do they refer to? Why does it matter what my intentions are?

What are the circumstances under which I'd use one of these rather than the other?

Answer 1

The third party keys are deprecated by Apple as per 2016-09-13:

Removed all mention of the following third-party-server exception keys from the description for the NSAppTransportSecurity key; Apple no longer expects apps to specify any of them: NSThirdPartyExceptionAllowsInsecureHTTPLoads, NSThirdPartyExceptionRequiresForwardSecrecy, NSThirdPartyExceptionMinimumTLSVersion.

TL;DR; use NSExceptionAllowsInsecureHTTPLoads.

Answer 2

The two keys are functionally identical, but there is a semantic difference. I'm quoting from this article on App Transport Security:

The distinction between these two keys is largely semantic, helping to clarify the intent and ownership of the domains being excepted from ATS's default behavior. That said, from a technical perspective, both keys achieve the same result. They both allow insecure HTTP connections to the domain.

In summary, use NSExceptionAllowsInsecureHTTPLoads if you control the server/domain and use NSThirdPartyExceptionAllowsInsecureHTTPLoads if you don't control the server/domain.

I appreciate Apple makes a distinction between the two. It is clear to the developer(s) working on the project and, also important, it is clear to Apple why the domain is excepted from App Transport Security. Keep in mind that Apple can ask you during App Review why you added an exception domain. By making it clear what the intent is (you control the domain or third-party domain), Apple has more context.