[Webkit-unassigned] [Bug 162906] [SOUP] Remove SSLPolicyFlags from SoupNetworkSession
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Nov 5 04:16:59 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=162906
--- Comment #6 from Ihor Ivlev <ivlev.igor at gmail.com> ---
(In reply to comment #5)
> (In reply to comment #4)
> > Hi Carlos,
> >
> > this patch is setting SOUP_SESSION_SSL_STRICT to FALSE in constructor and
> > removing setSSLPolicy, so is it possible for a user to set it back to TRUE
> > later?
> > If not, does it look like a security issue?
> >
> > Thanks!
>
> What user do you mean? All users of that API (GTK+ and EFL ports) were
> setting setSSLPolicy(SoupNetworkSession::SSLUseSystemCAFile); which sets
> SOUP_SESSION_SSL_STRICT to FALSE. There isn't any change in behavior in this
> patch. WE have always set that to FALSE, because we handle SSL errors
> ourselves in ResourceHandleSoup/NetworkDataTaskSoup. Loads will fail with an
> error in case of SSL errors even if SOUP_SESSION_SSL_STRICT is set to FALSE.
Thank you for the explanation, sorry I didn't realize we're handling ssl errors in ResourceHandleSoup/NetworkDataTaskSoup.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161105/92ba39e6/attachment.html>
More information about the webkit-unassigned
mailing list