It’s not a bug … it’s just really difficult to figure out what’s needed 
At least if you’re not some kind of info.plist wizard, something I hope not to become
<plist version="1.0">
<dict>
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
</dict>
</plist>
In the Custom Plist box is all you need to disable apples sensible security requirements and go shooting yourself in the foot with unencrypted connections…
Now I can go back to my even less favourite task of making an installer.