Dart uses sockets in order to make its HTTPS requests, which means any enforced HTTPS policies forced by the OS will be ineffective and won't work.
An app can have multiple sources that trigger an HTTP request, many of those we can't control as they can be in a third party library.
Currently we can force HTTPS only connections passing this zone configuration:
zoneValues: {#flutter.io.allow_http: false},But this isn't documented anywhere and it's deep inside the engine, so this can be changed at any time, so it's not a strong and guaranteed solution.
I this this configuration should be documented and also we should have a higher level mechanism for configuring it.
Dart uses sockets in order to make its HTTPS requests, which means any enforced HTTPS policies forced by the OS will be ineffective and won't work.
An app can have multiple sources that trigger an HTTP request, many of those we can't control as they can be in a third party library.
Currently we can force HTTPS only connections passing this zone configuration:
But this isn't documented anywhere and it's deep inside the engine, so this can be changed at any time, so it's not a strong and guaranteed solution.
I this this configuration should be documented and also we should have a higher level mechanism for configuring it.