[Webkit-unassigned] [Bug 204736] [GTK] Allows visiting webpages that use HSTS despite certificate verification failure?

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 16 06:29:27 PST 2019


https://bugs.webkit.org/show_bug.cgi?id=204736

Claudio Saavedra <csaavedra at igalia.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |csaavedra at igalia.com

--- Comment #7 from Claudio Saavedra <csaavedra at igalia.com> ---
> Both ff and chromium allow to accept the risk and continue.

I tested here in Chrome and it doesn't allow you. I think we shouldn't allow either.

I wonder if you could use WebKitWebsiteDataManager to fetch the HSTS data for the site in question. If there is HSTS data you probably want to disallow continuing. This implies checking for every site that fails to load with a SSL error, I guess, so it might not be ideal.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191216/6761e003/attachment.htm>


More information about the webkit-unassigned mailing list