[Webkit-unassigned] [Bug 193508] New: sendBeacon to previously-unvisited https domain always fails

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 16 13:51:13 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=193508

            Bug ID: 193508
           Summary: sendBeacon to previously-unvisited https domain always
                    fails
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ajuma at chromium.org
                CC: achristensen at apple.com, beidson at apple.com,
                    cdumez at apple.com, youennf at gmail.com

PingLoad::didReceiveChallenge always returns AuthenticationChallengeDisposition::Cancel, so calls to sendBeacon(url) where url is an https URL for a domain that we're establishing an https connection for the first time will always fail.

Once we establish an https connection some other way (e.g. by sending an xhr to the same domain), PingLoads no longer receive a challenge, so beacons are successfully sent.

This bug doesn't affect Safari, because in [WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler], _session->networkProcess().canHandleHTTPSServerTrustEvaluation() is false, so we always call the completion handler with NSURLSessionAuthChallengeRejectProtectionSpace.

However, for other WebKit embedders (e.g., MiniBrowser, and all non-Safari browsers on iOS), canHandleHTTPSServerTrustEvaluation() is true, so we do call into PingLoad::didReceiveChallenge and cancel the network task.

A possible fix would making PingLoad::didReceiveChallenge return RejectProtectionSpaceAndContinue, which would have the effect of allowing connections to sites with valid certificates and rejecting otherwise.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190116/ac6362c4/attachment.html>

More information about the webkit-unassigned mailing list