[Webkit-unassigned] [Bug 204736] [GTK] Allows visiting webpages that use HSTS despite certificate verification failure?

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 16 06:15:58 PST 2019


https://bugs.webkit.org/show_bug.cgi?id=204736

--- Comment #5 from Carlos Garcia Campos <cgarcia at igalia.com> ---
(In reply to Michael Catanzaro from comment #4)
> To see what happens, we would need to set up a test domain that supports
> HTTPS but does not redirect to it by default, and which uses an invalid
> certificate. I thought the badssl.com example would suffice, but as you
> discovered, I was wrong.
> 
> (In reply to Carlos Garcia Campos from comment #3)
> > I would need a way to reproduce it, libsoup is cancelling the message in
> > case of tls errors according to the code, see
> > https://gitlab.gnome.org/GNOME/libsoup/blob/master/libsoup/soup-hsts-
> > enforcer.c#L497
> 
> Well heck, I wonder: could this possibly be related to bug #203620? Would be
> a mighty coincidence if not....

I don't think so, we cancel the message before, when hsts-enforced signal is emitted, so on message starting it has already been cancelled.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191216/720fcd44/attachment.htm>


More information about the webkit-unassigned mailing list