[Webkit-unassigned] [Bug 204736] [GTK] Allows visiting webpages that use HSTS despite certificate verification failure

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 16 05:44:40 PST 2019


https://bugs.webkit.org/show_bug.cgi?id=204736

Michael Catanzaro <mcatanzaro at gnome.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mcatanzaro at gnome.org

--- Comment #2 from Michael Catanzaro <mcatanzaro at gnome.org> ---
Ah OK, it's not enforced for subdomains? I understand. Should have checked with Firefox or Chrome first.

So even though it's a bad example, point remains: Ephy has no code to handle HSTS error differently than a normal certificate verification failure. If WebKit fires load-failed-with-tls-errors, then Ephy is guaranteed to do the wrong thing. WebKit would have to use normal load-failed and present a network error for this to work, which might be an OK solution, but still a bit odd given that there were actually TLS errors. So what actually happens? And do we have any tests?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191216/a62a37d2/attachment.htm>


More information about the webkit-unassigned mailing list