[webkit-dev] Question on porting webkit to webkit2

Michael Catanzaro mcatanzaro at igalia.com
Wed Jan 31 13:23:28 PST 2018


In the future, please use webkit-gtk at lists.webkit.org instead.

On Wed, Jan 31, 2018 at 12:05 PM, Ben Greear <greearb at candelatech.com> 
> I am unsure how to port this part....any ideas?
>         SoupSession *s;
> 	s = webkit_web_context_get_default_session();
> 	g_object_set(G_OBJECT(s), "ssl-ca-file",
> 		     "/etc/ssl/certs/ca-certificates.crt", NULL);
> 	g_object_set(G_OBJECT(s), "ssl-strict", FALSE, NULL);

Good news: you can just remove that code. Modern WebKitGTK+ 
automatically verifies TLS certificates using the system trust.

The old version of WebKitGTK+ you were using before did not perform any 
certificate verification at all, so you had to grab the SoupSession and 
try to do it manually. That's not possible anymore, because the 
SoupSession lives in the network process, so WebKit must do it for you.

One concern: I see you were setting ssl-strict to FALSE. That means 
libsoup would accept all certificates, and you must have some code 
elsewhere in your application to manually verify the certificates. Most 
applications got this wrong, either by not doing it at all, or by doing 
it too late, after sending an HTTP request. (It has to happen before 
the first HTTP request is sent, or your application will leak e.g. 
secure session cookies to any attacker.)


More information about the webkit-dev mailing list