[Webkit-unassigned] [Bug 204736] [GTK] Allows visiting webpages that use HSTS despite certificate verification failure?
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Dec 18 03:46:10 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=204736
--- Comment #14 from Claudio Saavedra <csaavedra at igalia.com> ---
How would that implementation work?
I'm assuming that what we're doing is that, regardless of the TLS failure, we check whether there's a HSTS policy, in which case we would emit ::load-failed-with-hsts-error. Then if webkit_web_context_allow_tls_certificate_for_host() gets called, we have to check again if there's a HSTS policy and fail/warn/etc about it.
If that's the case this could work.. the key is that we need to check for every TLS failure regardless of what caused it.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191218/7c4655d5/attachment.htm>
More information about the webkit-unassigned
mailing list