### Before this commit
Setting a security policy configured with `AFSSLPinningModeCertificate` or `AFSSLPinningModePublicKey` on a AFHTTPSessionManager instance configured with an insecure `http` base URL was valid. Requests made with this manager would always succeed since the `-[AFURLSessionManager URLSession:didReceiveChallenge:completionHandler:]` would never be called and thus the security policy would never be evaluated.
### After this commit
Setting a security policy configured with `AFSSLPinningModeCertificate` or `AFSSLPinningModePublicKey` on a AFHTTPSessionManager instance configured with an insecure `http` base URL will throw an exception. This will force the manager to be configured with a secure `https` URL.
Note that properly configuring App Transport Security (ATS) would also solve this issue since insecure connections would fail anyway, but this is a *belt and suspenders* solution.
There was some repetition in URL creation for unit tests. Extracting the common URLs (png, jpeg, delay, status code) makes it easier run the test suites on a local copy of httpbin with the `python -m httpbin.core` command.
The dispatching on main thread was introduced in 920e2669f9 in order to fix#2053. It was not a proper fix but rather a lucky coincidence. This kind of KVO error must be fixed by ensuring that observer are properly registered and unregistered, not by dispatching some random method on the main thread.
It is very important not to dispatch async session invalidation code because it is called in unit tests from the `tearDown` method. At that point, there’s no active runloop, so the session invalidation would not happen immediately but when running the next asynchronous unit test, i.e. when the `waitForExpectationsWithCommonTimeoutUsingHandler:` method is called.
This commit, in conjunction with d869571b82fixes#3710.
Setting the expectation to nil after it is fulfilled in order to avoid `*** Assertion failure in -[XCTestExpectation fulfill]` was just hiding the real issue.
The impetus for this change was a bug related to:
https://github.com/AFNetworking/AFNetworking/issues/3380
Which points to an issue where AFURLSessionManager could get in a state where it does not inform the AFURLSessionManagerTaskDelegate to un-observe cancelled (or otherwise completed) tasks before they are deallocated.
While the above issue is specific to background tasks/sessions, we have observed it on sessions with default configurations as well.
Instead of debugging the KVO issues, I decided to replace the KVO code with in favor of the appropriate NSURLSession delegate methods.
Running all unit tests shows that this approach appears to be working.
The pull request that made this change (https://github.com/AFNetworking/AFNetworking/pull/3187) mentions that its goal was to remove the need for AFNetworking API consumers to use a KVO API for getting progress.
This makes sense, but I was unable to see any reason why KVO was used internally for getting progress information rather than the NSURLSession Delegate methods.
Because of this, It isn't clear to me what the historical reasons were/are for KVO being needed to satisfy the progress requirements of the AFNetworking API.
With any luck, KVO is no longer needed and we can eliminate this class of crashes by eliminating KVO.
NB: as the crash is caused by using a dictionary in a way that the runtime did not expect, it typically causes intermittent crashes which are almost always in unrelated areas of the app. This seems to be strongly related to deallocation of the values in the dictionary, but this may not be the only cause. As such, there is nothing to positively test for, the test succeeds if it doesn't EXC_BAD_ACCESS when cleaning up the @autoreleasepool at the end.
Updated to a different unicode dash (U+002D rather than U+2013) so that it is parsed correctly by markdown, when converting the CocoaPods Acknowledgements.markdown to HTML.
They were referenced in testPolicyWithCertificatePinningAllowsGoogleComServerTrustIncompleteChainWithRootCertificatePinnedAndValidDomainName which is now disabled.
