[Webkit-unassigned] [Bug 51599] The web process uses its own credential storage

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 24 16:26:07 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=51599





--- Comment #11 from mitz at webkit.org  2010-12-24 16:26:07 PST ---
(In reply to comment #10)
> > The default credential store is global, but different clients have access to different credentials.
> 
> How does this work? I've always been thinking that unsigned apps didn't have access to passwords unless the user approved, but there wasn't any compartmentalization.

Keychain items have access control lists.

> 
> I've just verified that a test app sees all credentials in keychain, but calling -[NSURLCredential password] resulted in a confirmation dialog.

The access control list applies to the secret, not other parts of the keychain item.

> > So the first request is made without credentials, an authentication challenge is issues, and then the credential storage is populated with a default credential, which is used in subsequent requests?
> 
> Yes, that's correct.
> 
> > I think the above code’s interpretation of shouldUseCredentialStorage may need to be corrected.
> 
> Do you have a specific suggestion?
> 
> WebCore credential storage isn't properly maintained when the client says that it shouldn't be used, even though it's sometimes written to.

I will probably need to know more about what that function is trying to do and the expected lifetime of the default credential once it’s entered into the store. In particular, if it is expected to persist across closing all WKViews in an app (which terminates the web process), then it should probably be managed by the UI process.

> > > I'm surprised if this patch didn't break default credential tests. Are those disabled for WebKit2?
> > Strange. If this in fact broke something, please file a new bug.
> 
> I expected you to check that, as the person who made this change. I'm still not convinced that this patch general direction is right. If you don't have the time to keep working on this, perhaps it should be rolled out?

I will see what I can find out using the tests you listed below!

> 
> In fact, our basic-auth-default test is currently disabled with a bogus comment:
> 
> # WebKit2 needs to support authentication
> http/tests/appcache/auth.html
> http/tests/security/credentials-in-referer.html
> http/tests/xmlhttprequest/basic-auth.html
> http/tests/xmlhttprequest/basic-auth-default.html
> http/tests/xmlhttprequest/logout.html
> http/tests/xmlhttprequest/re-login-async.html

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list