[Webkit-unassigned] [Bug 146159] New: Check for SHA1 certificates ignores subresources
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 19 13:29:05 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=146159
Bug ID: 146159
Summary: Check for SHA1 certificates ignores subresources
Classification: Unclassified
Product: WebKit
Version: 528+ (Nightly build)
Hardware: PC
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit2
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at igalia.com
WebPageProxy::didCommitLoadForFrame decides whether to throw a security warning if the certificate chain includes a SHA1 certificate, but does so only for the main resource. Subresources are ignored. That's not good: the overall security of the page should be determined by the security of the least-secure subresource.
We should probably replace the second parameter to PageLoadState::didCommitLoad (which should only be called for the main resource) with a new PageLoadState member function for this.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150619/d077147e/attachment.html>
More information about the webkit-unassigned
mailing list