[Webkit-unassigned] [Bug 204736] [GTK] Allows visiting webpages that use HSTS despite certificate verification failure?
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Dec 16 06:30:51 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=204736
--- Comment #8 from Claudio Saavedra <csaavedra at igalia.com> ---
(In reply to Claudio Saavedra from comment #7)
> > Both ff and chromium allow to accept the risk and continue.
>
> I tested here in Chrome and it doesn't allow you. I think we shouldn't allow
> either.
>
> I wonder if you could use WebKitWebsiteDataManager to fetch the HSTS data
> for the site in question. If there is HSTS data you probably want to
> disallow continuing. This implies checking for every site that fails to load
> with a SSL error, I guess, so it might not be ideal.
Also because: no matter the reason of the SSL failure, you should forbid continuing if there is HSTS data stored in the browser. So it doesn't matter if it's HSTS that caused the load to be cancelled.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191216/c1133fce/attachment.htm>
More information about the webkit-unassigned
mailing list