[Webkit-unassigned] [Bug 162906] [SOUP] Remove SSLPolicyFlags from SoupNetworkSession
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Nov 5 03:59:49 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=162906
--- Comment #5 from Carlos Garcia Campos <cgarcia at igalia.com> ---
(In reply to comment #4)
> Hi Carlos,
>
> this patch is setting SOUP_SESSION_SSL_STRICT to FALSE in constructor and
> removing setSSLPolicy, so is it possible for a user to set it back to TRUE
> later?
> If not, does it look like a security issue?
>
> Thanks!
What user do you mean? All users of that API (GTK+ and EFL ports) were setting setSSLPolicy(SoupNetworkSession::SSLUseSystemCAFile); which sets SOUP_SESSION_SSL_STRICT to FALSE. There isn't any change in behavior in this patch. WE have always set that to FALSE, because we handle SSL errors ourselves in ResourceHandleSoup/NetworkDataTaskSoup. Loads will fail with an error in case of SSL errors even if SOUP_SESSION_SSL_STRICT is set to FALSE.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161105/871270ae/attachment.html>
More information about the webkit-unassigned
mailing list