[Webkit-unassigned] [Bug 51599] The web process uses its own credential storage

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 24 15:31:30 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=51599





--- Comment #9 from mitz at webkit.org  2010-12-24 15:31:30 PST ---
(In reply to comment #8)
> > For security and correctness. The credentials belongs to the client, not to WebKit.
> 
> I'm not sure about that, but I may be missing something. Cookies are global (per OS user), and stored credentials seem to be global, too. What makes them private to the client?

The default credential store is global, but different clients have access to different credentials.

> Maybe Keychain credentials being private to application is how it should be in ideal world, but it doesn't seem to be the case in CFNetwork model.

Regardless of API, that is how things behave on Mac OS X.

> 
> > How can there be a default credential for a protection space if there was never a challenge
> > for that protection space?
> 
> Default credentials work when making requests after the first one (ignoring CFNetwork connection pool and per-connection auth schemes like NTLM for simplicity). So, you authenticate to a Basic protection space once, and then all requests to resources in the same space carry credentials upfront.

So the first request is made without credentials, an authentication challenge is issues, and then the credential storage is populated with a default credential, which is used in subsequent requests?

>     if (shouldUseCredentialStorage && firstRequest().url().protocolInHTTPFamily()) {
>         if (d->m_user.isEmpty() && d->m_pass.isEmpty()) {
>             // <rdar://problem/7174050> - For URLs that match the paths of those previously challenged for HTTP Basic authentication, 
>             // try and reuse the credential preemptively, as allowed by RFC 2617.
>             d->m_initialCredential = CredentialStorage::get(firstRequest().url());
> 
> Note that WebCore credential storage isn't consulted for default credentials if shouldUseCredentialStorage is false (of course).

I think the above code’s interpretation of shouldUseCredentialStorage may need to be corrected.

> I'm surprised if this patch didn't break default credential tests. Are those disabled for WebKit2?

Strange. If this in fact broke something, please file a new bug.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list