[webkit-reviews] review denied: [Bug 191447] Web Inspector: Network: show secure certificate details per-request : [Attachment 354360] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Nov 9 13:22:32 PST 2018
Joseph Pecoraro <joepeck at webkit.org> has denied Devin Rousso
<drousso at apple.com>'s request for review:
Bug 191447: Web Inspector: Network: show secure certificate details per-request
https://bugs.webkit.org/show_bug.cgi?id=191447
Attachment 354360: Patch
https://bugs.webkit.org/attachment.cgi?id=354360&action=review
--- Comment #9 from Joseph Pecoraro <joepeck at webkit.org> ---
Comment on attachment 354360
--> https://bugs.webkit.org/attachment.cgi?id=354360
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=354360&action=review
Overall this looks good to me. I'll just want to see an updated patch.
> Source/JavaScriptCore/inspector/protocol/Security.json:8
> + "description": "Security information for the request.",
This description is poor.
> Source/JavaScriptCore/inspector/protocol/Security.json:11
> + { "name": "created", "type": "number", "optional": true },
Is this really a `created` date or the valid start date?
Given these are seconds since epoch, shouldn't these be $ref of
"Network.Walltime"?
> Source/JavaScriptCore/inspector/protocol/Security.json:14
> + { "name": "ipAddresses", "type": "array", "items": { "type":
"string" }, "optional": true }
Could this get a description. What are these ip addresses? Specific hosts the
certificate is limited to?
> Source/WebCore/loader/ResourceLoader.h:130
> + WEBCORE_EXPORT bool shouldIncludeCertificateInfo() const;
Was the WEBCORE_EXPORT needed? I only see uses in WebCore.
> Source/WebCore/platform/network/CertificateInfoBase.h:37
> + bool containsNonRootSHA1SignedCertificate() const { return false; }
Should all of these methods be virtual? Otherwise, how do these call down into
the sub-class implementations?
> Source/WebCore/platform/network/mac/CertificateInfoMac.mm:108
> + auto firstCertificate =
checked_cf_cast<SecCertificateRef>(CFArrayGetValueAtIndex(chain, 0));
Perhaps we should name this `leafCertificate`.
> Source/WebInspectorUI/UserInterface/Views/ResourceSecurityContentView.css:31
> + color: var(--network-dns-color);
How does this look in dark mode? Is it readable?
> Source/WebInspectorUI/UserInterface/Views/ResourceSecurityContentView.js:66
> + let hasInsecureScheme = this._resource.urlComponents.scheme !==
"https" && this._resource.urlComponents.scheme !== "wss" &&
this._resource.urlComponents.scheme !== "sftp";
This seems like it could be a helper somewhere. If generalized I wonder if we
should also `data:` as secure even if it shouldn't be reached here.
> Source/WebInspectorUI/UserInterface/Views/ResourceSecurityContentView.js:72
> + if (hasInsecureConnectionTiming || hasInsecureScheme) {
> + if (!this._insecureMessageElement)
> + this._insecureMessageElement =
WI.createMessageTextView(WI.UIString("The resource was requested insecurely."),
true);
> + this.element.appendChild(this._insecureMessageElement);
> + return;
> + }
Can we get a screenshot of this appearance?
> Source/WebInspectorUI/UserInterface/Views/ResourceSecurityContentView.js:178
> +
this._certificateSection.markIncompleteSectionWithMessage(WI.UIString("No
response security information"));
Normally the incomplete section messages end in a period.
> Source/WebInspectorUI/UserInterface/Views/ResourceSecurityContentView.js:184
> +
this._certificateSection.markIncompleteSectionWithMessage(WI.UIString("No
response security certificate"));
Normally the incomplete section messages end in a period.
> Source/WebInspectorUI/UserInterface/Views/ResourceSecurityContentView.js:190
> + let formatDate = (key, timestamp) => {
Maybe name this `appendFormattedDate`.
> Source/WebInspectorUI/UserInterface/Views/ResourceSecurityContentView.js:203
> + formatDate(WI.UIString("Created"), certificate.created);
> + formatDate(WI.UIString("Expires"), certificate.expires);
I still question if this is "Created".
- Apple's Native UI: "Not Valid Before", "Not Valid After"
- Chrome: "Valid From", "Valid Until"
- Firefox: "Begins On", "Expires On"
We could match the Apple Native UI, but I tend to prefer wording like these:
- "Valid From", "Valid Until"
- "Valid Starting", "Valid Ending"
- "Valid Beginning", "Expires"
> Source/WebInspectorUI/UserInterface/Views/ResourceSecurityContentView.js:205
> + let limitValues = (key, values, className) => {
Maybe name this `appendList`
> LayoutTests/ChangeLog:10
> + *
http/tests/inspector/network/resource-response-security-expected.txt: Added.
> + * http/tests/inspector/network/resource-response-security.html:
Added.
You may need to skip this on other ports, I don't think they will have dates
for example.
More information about the webkit-reviews
mailing list