[Webkit-unassigned] [Bug 204736] [GTK] Allows visiting webpages that use HSTS despite certificate verification failure?

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 17 01:10:01 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=204736

--- Comment #10 from Claudio Saavedra <csaavedra at igalia.com> ---
(In reply to Michael Catanzaro from comment #9)
> (In reply to Claudio Saavedra from comment #7) 
> > I wonder if you could use WebKitWebsiteDataManager to fetch the HSTS data
> > for the site in question. If there is HSTS data you probably want to
> > disallow continuing. This implies checking for every site that fails to load
> > with a SSL error, I guess, so it might not be ideal.
> 
> Hm, maybe a good idea... that might even be the ideal solution.
> 
> Let's do the check at the WebKit level, though. Can't expect dozens of
> different applications to do such a check.

Sure, makes sense. What would the API look like though?

> (In reply to Carlos Garcia Campos from comment #1)
> > hsts-enforced signal is not emitted for that url. Both ff and chromium allow
> > to accept the risk and continue.
> 
> Huh. So Claudio tested Chrome and found you can't continue. I just tested
> Firefox, and was also unable to continue. Could you have typed the URL
> wrong? It is: http://suddomain.preloaded-hsts.badssl.com/
> 
> I checked Epiphany again just now and found the continue button is actually
> broken. It tries to *download* the page as a resource and fails with "Error
> downloading: Misdirected Request" which sounds like an artifact of using a
> redirect to switch from http:// -> https://. I'm not sure if I tried this
> before, or perhaps I just saw the button and assumed it worked.

Here the button was not doing anything. Then I restarted ephy and now the page is actually loaded as if there was no HSTS in place at all. Not sure why this inconsistent behavior, but in this bug I would focus on the API for the above.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191217/7ac01f43/attachment-0001.htm>

More information about the webkit-unassigned mailing list