[Webkit-unassigned] [Bug 204736] New: [GTK] Allows visiting webpages that use HSTS despite certificate verification failure

Sun Dec 1 17:21:55 PST 2019

https://bugs.webkit.org/show_bug.cgi?id=204736

            Bug ID: 204736
           Summary: [GTK] Allows visiting webpages that use HSTS despite
                    certificate verification failure
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org
                CC: bugs-noreply at webkitgtk.org

Created attachment 384587

  --> https://bugs.webkit.org/attachment.cgi?id=384587&action=review

screenshot

See attached screenshot, I can visit this website that uses HSTS even though certificate verification has failed by using the Accept Risk button. This violates the HSTS spec as the user agent should not allow ignoring the verification failure.

It cannot be solved at the Epiphany level because Epiphany doesn't know HSTS is in use. WebKit fires WebKitWebView::load-failed-with-tls-errors and provides the GTlsCertificate and GTlsCertificateFlags. That's it. So WebKit should either add some sort of API to allow implementing the spec properly, or otherwise return a different error here instead, e.g. a network error rather than load-failed-with-tls-errors. (A new API would allow for nicer UI than a network error.)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191202/bb11ea72/attachment.htm>