I'm wondering that NSURLRequest
with .returnCacheDataElseLoad
/.returnCacheDataDontLoad
cache policy ignores basic authorization. So the following scenario works incorrectly:
- Set up URL cache policy to use local cache prior to requesting to server
- Make fresh request with good credentials and receive success response
- Switch to offline
- Make request with previous URL but incorrect authorization credentials
- Watch that the second request with incorrect credentials successes
Overall this bug allows to sign in for anyone if offline mode in the app is implemented via iOS system cache.
Is anybody familiar with this issue? It happens at least on iOS 10. I'm looking how to fix it in gently manner.