[Webkit-unassigned] [Bug 204736] [GTK] Allows visiting webpages that use HSTS despite certificate verification failure?

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 17 02:02:33 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=204736

--- Comment #12 from Carlos Garcia Campos <cgarcia at igalia.com> ---
(In reply to Michael Catanzaro from comment #9)
> (In reply to Claudio Saavedra from comment #7) 
> > I wonder if you could use WebKitWebsiteDataManager to fetch the HSTS data
> > for the site in question. If there is HSTS data you probably want to
> > disallow continuing. This implies checking for every site that fails to load
> > with a SSL error, I guess, so it might not be ideal.
> 
> Hm, maybe a good idea... that might even be the ideal solution.
> 
> Let's do the check at the WebKit level, though. Can't expect dozens of
> different applications to do such a check.
> 
> (In reply to Carlos Garcia Campos from comment #1)
> > hsts-enforced signal is not emitted for that url. Both ff and chromium allow
> > to accept the risk and continue.
> 
> Huh. So Claudio tested Chrome and found you can't continue. I just tested
> Firefox, and was also unable to continue. Could you have typed the URL
> wrong? It is: http://suddomain.preloaded-hsts.badssl.com/

I've copy pasted in both ff and chromium and in both cases I can click in advance button and then proceed. The end result is a 404, though.

> I checked Epiphany again just now and found the continue button is actually
> broken. It tries to *download* the page as a resource and fails with "Error
> downloading: Misdirected Request" which sounds like an artifact of using a
> redirect to switch from http:// -> https://. I'm not sure if I tried this
> before, or perhaps I just saw the button and assumed it worked.

Yes, that happens here too, but not in MiniBrowser.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191217/31fb1d66/attachment.htm>

More information about the webkit-unassigned mailing list