Ban HTTP on iOS and Android platforms by default

[mehmetf]

Starting API 28[1] and iOS 9[2], insecure connections are banned on native platform by default. Flutter, on the other hand, uses Dart VM's HTTP implementation which integrates with Sockets directly. This circumvents the security features on the platform and allows HTTP protocol.

We recently added capability to disallow HTTP on a per-platform basis to Dart SDK (dart-lang/sdk#40548). This issue tracks enabling that feature on iOS and Android platforms only. Desktop and Web platforms are unaffected.

1: https://developer.android.com/training/articles/security-config#CleartextTrafficPermitted
2: https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity

[YowFung]

Why I can't open the first link: https://developer.android.com/training/articles/security-config#CleartextTrafficPermitted

It shows Service Unavailable.

[xster]

@mehmetf you mentioned the Dart team wanted to have this implemented some other way? Can you leave some breadcrumbs we can follow?

[mehmetf]

These CLs contain plenty of breadcrumbs on how this was implemented and what the concerns are (in chronological order): https://dart-review.googlesource.com/c/sdk/+/154180 https://dart-review.googlesource.com/c/sdk/+/161581 https://dart-review.googlesource.com/c/sdk/+/161801 https://dart-review.googlesource.com/c/sdk/+/171020 In addition, dart-lang/sdk#40548 contains a healthy amount of discussion on the approach. The new approach would involve taking Android and iOS network policies and converting them to a VM policy that is fed through the C++ API. The old approach started from the assumption that we want to provide APIs for users to define and modify these policies in x-platform code but as the requirements evolved, that assumption was proven false. As lrn@ mentions at the end of the last CL: *If this code is only intended for embedders to interact with, it should be in the C++ API, not the Dart API. And I'd prefer that it has as little effect on the Dart code as absolutely possible, so we are not hard-coding any assumptions about the platform policies in the cross-platform code (up to and including which policies might exist).So. it would be better to have one hook, called (if set) before a connection is created, provided with the connection information, and then the platform specific hook code can throw or warn or accept in whatever way they want to. If they need a way to override their own policy, it too would go into that platform's code, not into the general Dart platform libraries.So, all in all, I want a completely different approach to this problem 😎*