[Webkit-unassigned] [Bug 51599] The web process uses its own credential storage
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 24 16:11:25 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=51599
--- Comment #10 from Alexey Proskuryakov <ap at webkit.org> 2010-12-24 16:11:25 PST ---
> The default credential store is global, but different clients have access to different credentials.
How does this work? I've always been thinking that unsigned apps didn't have access to passwords unless the user approved, but there wasn't any compartmentalization.
I've just verified that a test app sees all credentials in keychain, but calling -[NSURLCredential password] resulted in a confirmation dialog.
> So the first request is made without credentials, an authentication challenge is issues, and then the credential storage is populated with a default credential, which is used in subsequent requests?
Yes, that's correct.
> I think the above code’s interpretation of shouldUseCredentialStorage may need to be corrected.
Do you have a specific suggestion?
WebCore credential storage isn't properly maintained when the client says that it shouldn't be used, even though it's sometimes written to.
> > I'm surprised if this patch didn't break default credential tests. Are those disabled for WebKit2?
> Strange. If this in fact broke something, please file a new bug.
I expected you to check that, as the person who made this change. I'm still not convinced that this patch general direction is right. If you don't have the time to keep working on this, perhaps it should be rolled out?
In fact, our basic-auth-default test is currently disabled with a bogus comment:
# WebKit2 needs to support authentication
http/tests/appcache/auth.html
http/tests/security/credentials-in-referer.html
http/tests/xmlhttprequest/basic-auth.html
http/tests/xmlhttprequest/basic-auth-default.html
http/tests/xmlhttprequest/logout.html
http/tests/xmlhttprequest/re-login-async.html
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list