[Webkit-unassigned] [Bug 204736] [GTK] Allows visiting webpages that use HSTS despite certificate verification failure
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Dec 16 05:44:40 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=204736
Michael Catanzaro <mcatanzaro at gnome.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mcatanzaro at gnome.org
--- Comment #2 from Michael Catanzaro <mcatanzaro at gnome.org> ---
Ah OK, it's not enforced for subdomains? I understand. Should have checked with Firefox or Chrome first.
So even though it's a bad example, point remains: Ephy has no code to handle HSTS error differently than a normal certificate verification failure. If WebKit fires load-failed-with-tls-errors, then Ephy is guaranteed to do the wrong thing. WebKit would have to use normal load-failed and present a network error for this to work, which might be an OK solution, but still a bit odd given that there were actually TLS errors. So what actually happens? And do we have any tests?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191216/a62a37d2/attachment.htm>
More information about the webkit-unassigned
mailing list