[Webkit-unassigned] [Bug 148744] New: WKWebView should provide SecTrustRef object for main frame

Thu Sep 3 11:28:11 PDT 2015

https://bugs.webkit.org/show_bug.cgi?id=148744

            Bug ID: 148744
           Summary: WKWebView should provide SecTrustRef object for main
                    frame
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: iOS
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit2
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: eugenebut at chromium.org

Created attachment 260499
  --> https://bugs.webkit.org/attachment.cgi?id=260499&action=review
Test App

When loading a page with invalid SSL certificate, WKWebView provides API to make load/no-load decision, where browser can ask if user wants to accept invalid SSL certificate:
|webView:didReceiveAuthenticationChallenge:completionHandler:| and that API provides SecTrustRef object.

Lets assume that user has decided to load the page with invalid certificate. Now browser wants to show Broken Red SSL Lock icon to keep user informed about the risks. 

The only available API that can be used for server's identity verification is | WKWebView.certificateChain |, however having chain is not enough for cert verification and there is no guarantee that manually constructed SecTrustRef will be the same as one provided via |webView:didReceiveAuthenticationChallenge:completionHandler|.

Attached example shows how browser can keep the user informed about the risks by showing warning text.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150903/e72e9dfc/attachment.html>