<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[265936] branches/safari-610.1.28.0-branch</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/265936">265936</a></dd>
<dt>Author</dt> <dd>repstein@apple.com</dd>
<dt>Date</dt> <dd>2020-08-19 23:26:46 -0700 (Wed, 19 Aug 2020)</dd>
</dl>

<h3>Log Message</h3>
<pre>Cherry-pick <a href="http://trac.webkit.org/projects/webkit/changeset/265835">r265835</a>. rdar://problem/67364266

    WKWebViews using fastServerTrustEvaluationEnabled should only allow legacy TLS for main resource loads
    https://bugs.webkit.org/show_bug.cgi?id=215626
    <rdar://problem/67268892>

    Patch by Alex Christensen <achristensen@webkit.org> on 2020-08-18
    Reviewed by Darin Adler.

    Source/WebKit:

    We have introduced public API webView:authenticationChallenge:shouldAllowDeprecatedTLS: in WKNavigationDelegate to allow
    applications to choose whether to allow TLS 1.0 or 1.1 connections.  We don't want to break this API or break existing third party
    apps that load pages that load third party subresources that use TLS 1.0 or 1.1.

    However, we do want Safari, which uses fastServerTrustEvaluationEnabled SPI, to silently fail subresource loads that use TLS 1.0 or 1.1.
    This matches the current behavior of Chrome and Firefox, which was not implemented in those other browsers when we decided to ask about subresources.

    Covered by an API test.

    * NetworkProcess/cocoa/NetworkSessionCocoa.mm:
    (WebKit::NetworkSessionCocoa::continueDidReceiveChallenge):

    Tools:

    * TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm:
    (TestWebKitAPI::TEST):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@265835 268f45cc-cd09-0410-ab3c-d52691b4dbfc</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari6101280branchSourceWebKitChangeLog">branches/safari-610.1.28.0-branch/Source/WebKit/ChangeLog</a></li>
<li><a href="#branchessafari6101280branchSourceWebKitNetworkProcesscocoaNetworkSessionCocoamm">branches/safari-610.1.28.0-branch/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm</a></li>
<li><a href="#branchessafari6101280branchToolsChangeLog">branches/safari-610.1.28.0-branch/Tools/ChangeLog</a></li>
<li><a href="#branchessafari6101280branchToolsTestWebKitAPITestsWebKitCocoaTLSDeprecationmm">branches/safari-610.1.28.0-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari6101280branchSourceWebKitChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-610.1.28.0-branch/Source/WebKit/ChangeLog (265935 => 265936)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-610.1.28.0-branch/Source/WebKit/ChangeLog        2020-08-20 05:29:48 UTC (rev 265935)
+++ branches/safari-610.1.28.0-branch/Source/WebKit/ChangeLog   2020-08-20 06:26:46 UTC (rev 265936)
</span><span class="lines">@@ -1,5 +1,57 @@
</span><span class="cx"> 2020-08-19  Russell Epstein  <repstein@apple.com>
</span><span class="cx"> 
</span><ins>+        Cherry-pick r265835. rdar://problem/67364266
+
+    WKWebViews using fastServerTrustEvaluationEnabled should only allow legacy TLS for main resource loads
+    https://bugs.webkit.org/show_bug.cgi?id=215626
+    <rdar://problem/67268892>
+    
+    Patch by Alex Christensen <achristensen@webkit.org> on 2020-08-18
+    Reviewed by Darin Adler.
+    
+    Source/WebKit:
+    
+    We have introduced public API webView:authenticationChallenge:shouldAllowDeprecatedTLS: in WKNavigationDelegate to allow
+    applications to choose whether to allow TLS 1.0 or 1.1 connections.  We don't want to break this API or break existing third party
+    apps that load pages that load third party subresources that use TLS 1.0 or 1.1.
+    
+    However, we do want Safari, which uses fastServerTrustEvaluationEnabled SPI, to silently fail subresource loads that use TLS 1.0 or 1.1.
+    This matches the current behavior of Chrome and Firefox, which was not implemented in those other browsers when we decided to ask about subresources.
+    
+    Covered by an API test.
+    
+    * NetworkProcess/cocoa/NetworkSessionCocoa.mm:
+    (WebKit::NetworkSessionCocoa::continueDidReceiveChallenge):
+    
+    Tools:
+    
+    * TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm:
+    (TestWebKitAPI::TEST):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@265835 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-08-18  Alex Christensen  <achristensen@webkit.org>
+
+            WKWebViews using fastServerTrustEvaluationEnabled should only allow legacy TLS for main resource loads
+            https://bugs.webkit.org/show_bug.cgi?id=215626
+            <rdar://problem/67268892>
+
+            Reviewed by Darin Adler.
+
+            We have introduced public API webView:authenticationChallenge:shouldAllowDeprecatedTLS: in WKNavigationDelegate to allow
+            applications to choose whether to allow TLS 1.0 or 1.1 connections.  We don't want to break this API or break existing third party
+            apps that load pages that load third party subresources that use TLS 1.0 or 1.1.
+
+            However, we do want Safari, which uses fastServerTrustEvaluationEnabled SPI, to silently fail subresource loads that use TLS 1.0 or 1.1.
+            This matches the current behavior of Chrome and Firefox, which was not implemented in those other browsers when we decided to ask about subresources.
+
+            Covered by an API test.
+
+            * NetworkProcess/cocoa/NetworkSessionCocoa.mm:
+            (WebKit::NetworkSessionCocoa::continueDidReceiveChallenge):
+
+2020-08-19  Russell Epstein  <repstein@apple.com>
+
</ins><span class="cx">         Cherry-pick r265882. rdar://problem/67439284
</span><span class="cx"> 
</span><span class="cx">     REGRESSION (r261407): Sharing rich links from Twitter/Netflix via Messages is unreliable
</span></span></pre></div>
<a id="branchessafari6101280branchSourceWebKitNetworkProcesscocoaNetworkSessionCocoamm"></a>
<div class="modfile"><h4>Modified: branches/safari-610.1.28.0-branch/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm (265935 => 265936)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-610.1.28.0-branch/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm      2020-08-20 05:29:48 UTC (rev 265935)
+++ branches/safari-610.1.28.0-branch/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm 2020-08-20 06:26:46 UTC (rev 265936)
</span><span class="lines">@@ -1546,6 +1546,12 @@
</span><span class="cx"> #endif
</span><span class="cx">         completionHandler(disposition, credential);
</span><span class="cx">     };
</span><ins>+
+    if (negotiatedLegacyTLS == NegotiatedLegacyTLS::Yes
+        && fastServerTrustEvaluationEnabled()
+        && !networkDataTask->isTopLevelNavigation())
+        return completionHandler(AuthenticationChallengeDisposition::Cancel, { });
+
</ins><span class="cx">     networkDataTask->didReceiveChallenge(WTFMove(authenticationChallenge), negotiatedLegacyTLS, WTFMove(challengeCompletionHandler));
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchessafari6101280branchToolsChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-610.1.28.0-branch/Tools/ChangeLog (265935 => 265936)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-610.1.28.0-branch/Tools/ChangeLog        2020-08-20 05:29:48 UTC (rev 265935)
+++ branches/safari-610.1.28.0-branch/Tools/ChangeLog   2020-08-20 06:26:46 UTC (rev 265936)
</span><span class="lines">@@ -1,3 +1,46 @@
</span><ins>+2020-08-19  Russell Epstein  <repstein@apple.com>
+
+        Cherry-pick r265835. rdar://problem/67364266
+
+    WKWebViews using fastServerTrustEvaluationEnabled should only allow legacy TLS for main resource loads
+    https://bugs.webkit.org/show_bug.cgi?id=215626
+    <rdar://problem/67268892>
+    
+    Patch by Alex Christensen <achristensen@webkit.org> on 2020-08-18
+    Reviewed by Darin Adler.
+    
+    Source/WebKit:
+    
+    We have introduced public API webView:authenticationChallenge:shouldAllowDeprecatedTLS: in WKNavigationDelegate to allow
+    applications to choose whether to allow TLS 1.0 or 1.1 connections.  We don't want to break this API or break existing third party
+    apps that load pages that load third party subresources that use TLS 1.0 or 1.1.
+    
+    However, we do want Safari, which uses fastServerTrustEvaluationEnabled SPI, to silently fail subresource loads that use TLS 1.0 or 1.1.
+    This matches the current behavior of Chrome and Firefox, which was not implemented in those other browsers when we decided to ask about subresources.
+    
+    Covered by an API test.
+    
+    * NetworkProcess/cocoa/NetworkSessionCocoa.mm:
+    (WebKit::NetworkSessionCocoa::continueDidReceiveChallenge):
+    
+    Tools:
+    
+    * TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm:
+    (TestWebKitAPI::TEST):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@265835 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-08-18  Alex Christensen  <achristensen@webkit.org>
+
+            WKWebViews using fastServerTrustEvaluationEnabled should only allow legacy TLS for main resource loads
+            https://bugs.webkit.org/show_bug.cgi?id=215626
+            <rdar://problem/67268892>
+
+            Reviewed by Darin Adler.
+
+            * TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm:
+            (TestWebKitAPI::TEST):
+
</ins><span class="cx"> 2020-08-19  Alan Coon  <alancoon@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Revert r265835. rdar://problem/67364266
</span></span></pre></div>
<a id="branchessafari6101280branchToolsTestWebKitAPITestsWebKitCocoaTLSDeprecationmm"></a>
<div class="modfile"><h4>Modified: branches/safari-610.1.28.0-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm (265935 => 265936)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-610.1.28.0-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm        2020-08-20 05:29:48 UTC (rev 265935)
+++ branches/safari-610.1.28.0-branch/Tools/TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm   2020-08-20 06:26:46 UTC (rev 265936)
</span><span class="lines">@@ -460,6 +460,43 @@
</span><span class="cx">     EXPECT_FALSE([webView hasOnlySecureContent]);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+TEST(TLSVersion, LegacySubresources)
+{
+    HTTPServer legacyServer({
+        { "/frame", { "shouldn't load with fastServerTrustEvaluationEnabled" }}
+    }, HTTPServer::Protocol::HttpsWithLegacyTLS);
+
+    HTTPServer modernServer({
+        { "/", { makeString("<iframe src='https://127.0.0.1:", legacyServer.port(), "/frame'/>") }}
+    }, HTTPServer::Protocol::Https);
+
+    auto dataStoreConfiguration = [[[_WKWebsiteDataStoreConfiguration alloc] initNonPersistentConfiguration] autorelease];
+    dataStoreConfiguration.fastServerTrustEvaluationEnabled = YES;
+    auto webViewConfiguration = [[WKWebViewConfiguration new] autorelease];
+    webViewConfiguration.websiteDataStore = [[[WKWebsiteDataStore alloc] _initWithConfiguration:dataStoreConfiguration] autorelease];
+    auto webView = [[[WKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:webViewConfiguration] autorelease];
+
+    auto delegate = [[TestNavigationDelegate new] autorelease];
+    [delegate setDidReceiveAuthenticationChallenge:^(WKWebView *, NSURLAuthenticationChallenge *challenge, void (^callback)(NSURLSessionAuthChallengeDisposition, NSURLCredential *)) {
+        EXPECT_WK_STREQ(challenge.protectionSpace.authenticationMethod, NSURLAuthenticationMethodServerTrust);
+        callback(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
+    }];
+    [webView setNavigationDelegate:delegate];
+
+    [webView loadRequest:modernServer.request()];
+    [delegate waitForDidFinishNavigation];
+
+    EXPECT_EQ(legacyServer.totalRequests(), 0u);
+    EXPECT_EQ(modernServer.totalRequests(), 1u);
+
+    auto defaultWebView = [[WKWebView new] autorelease];
+    [defaultWebView setNavigationDelegate:delegate];
+    [defaultWebView loadRequest:modernServer.request()];
+    [delegate waitForDidFinishNavigation];
+    EXPECT_EQ(legacyServer.totalRequests(), 1u);
+    EXPECT_EQ(modernServer.totalRequests(), 2u);
+}
+
</ins><span class="cx"> #endif // HAVE(NETWORK_FRAMEWORK) && HAVE(TLS_PROTOCOL_VERSION_T)
</span><span class="cx"> 
</span><span class="cx"> }
</span></span></pre>
</div>
</div>

</body>
</html>