[Webkit-unassigned] [Bug 204736] [GTK] Allows visiting webpages that use HSTS despite certificate verification failure

Mon Dec 16 05:59:41 PST 2019

https://bugs.webkit.org/show_bug.cgi?id=204736

Michael Catanzaro <mcatanzaro at gnome.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugs.webkit.org/sho
                   |                            |w_bug.cgi?id=203620

--- Comment #4 from Michael Catanzaro <mcatanzaro at gnome.org> ---
To see what happens, we would need to set up a test domain that supports HTTPS but does not redirect to it by default, and which uses an invalid certificate. I thought the badssl.com example would suffice, but as you discovered, I was wrong.

(In reply to Carlos Garcia Campos from comment #3)
> I would need a way to reproduce it, libsoup is cancelling the message in
> case of tls errors according to the code, see
> https://gitlab.gnome.org/GNOME/libsoup/blob/master/libsoup/soup-hsts-
> enforcer.c#L497

Well heck, I wonder: could this possibly be related to bug #203620? Would be a mighty coincidence if not....

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191216/460680c2/attachment.htm>