[webkit-qt] Fwd: Currently Missing Features with QtWebkit / QNetworkAccessManager

Richard Moore rich at kde.org
Fri Jul 9 13:30:39 PDT 2010


On Thu, Jul 8, 2010 at 11:27 PM, Thiago Macieira
<thiago.macieira at nokia.com> wrote:
> You may add the ability to generate certificates and private keys to the list
> of requirements too.

Good point

>
> What's this DNS pinning?

Ok. The issue is that it's possible to circumvent the same-origin
policy using a malicious DNS server that changes the IP address
associated with a particular name. Since the name is the same the
request is allowed, but since the DNS server is malicious, the IP
address it resolves to changes. This means you can have a page loaded
from http://safe.com/ that loads resources from http://safe.com/ but
safe.com has changed and now resolves to 192.168.1.1. DNS pinning
means sticking with the same result for the DNS resolution used when
the page was first loaded.

>
> And how about DNSSEC, do you know of any requirements there?

I'm afraid my knowledge of DNSSEC is pretty weak. I'm not aware of any
particular requirements on clients, but that could be my own
ignorance.

Cheers

Rich.



>
> On Thursday 8. July 2010 23.16.48 ext Richard Moore wrote:
>> Forwarding this to you two since you're likely to have feedback on this
>> too.
>>
>> Cheers
>>
>> Rich.
>>
>>
>> ---------- Forwarded message ----------
>> From: Richard Moore <rich at kde.org>
>> Date: Thu, Jul 8, 2010 at 9:20 PM
>> Subject: Currently Missing Features with QtWebkit / QNetworkAccessManager
>> To: webkit-qt at lists.webkit.org
>>
>>
>> These are the issues I'm aware of with the QtWebkit/QNAM combination
>> as a platform for browsers. It's possible that some of these issues
>> are incorrect and are supported somehow I'm not aware of, if so please
>> say so as that would be great! Note, don't take this as a criticism,
>> it's intended more as a way of organising what remains to be done.
>>
>> * No support for OCSP (online certificate status protocol)
>>
>> * No support for SNI (server name indication) see QTBUG-1352
>>
>> * No support for EV certificates
>>
>> * No support for DNS pinning (a way of avoiding DNS rebinding attacks)
>>
>> * Incorrect case-sensitivity in MIME type handling (webkit bug #28654).
>>
>>  This one is waiting on me (or someone else) finding time to write
>> the test cases.
>>
>> Anyone got anything to add to this todo list?
>>
>> Cheers
>>
>> Rich.
>
> --
> Thiago Macieira - thiago.macieira (AT) nokia.com
>  Senior Product Manager - Nokia, Qt Development Frameworks
>     Sandakerveien 116, NO-0402 Oslo, Norway
>


More information about the webkit-qt mailing list