In iOS 9, I can add keys to my info.plist to disable App Transport Security. There are two keys, NSExceptionAllowsInsecureHTTPLoads and NSThirdPartyExceptionAllowsInsecureHTTPLoads, which are defined as:
An optional Boolean value that, when set to YES, allows insecure HTTP loads. Use this key to describe your app’s intended network behavior for a domain whose security attributes you have control over.
and
A version of the NSExceptionAllowsInsecureHTTPLoads key to be used to configure connections to a domain whose security attributes you don’t control.
What security attributes do they refer to? Why does it matter what my intentions are?
What are the circumstances under which I'd use one of these rather than the other?
The third party keys are deprecated by Apple as per 2016-09-13:
Removed all mention of the following third-party-server exception keys from the description for the NSAppTransportSecurity key; Apple no longer expects apps to specify any of them: NSThirdPartyExceptionAllowsInsecureHTTPLoads, NSThirdPartyExceptionRequiresForwardSecrecy, NSThirdPartyExceptionMinimumTLSVersion.
TL;DR; use NSExceptionAllowsInsecureHTTPLoads.