[Webkit-unassigned] [Bug 196182] New: Using Application Cache on HTTPS websites causes perceived security issues

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Mar 23 18:43:17 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=196182

            Bug ID: 196182
           Summary: Using Application Cache on HTTPS websites causes
                    perceived security issues
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mlalkaka at gmail.com
                CC: bugs-noreply at webkitgtk.org

Hello, it seems that when a web page specifies an Application Cache (using the manifest attribute on its html tag), WebKit-based browsers do not consistently display the web page's HTTPS certificate. 

I first found this bug while using Epiphany (you can see the original bug report and investigation at https://gitlab.gnome.org/GNOME/epiphany/issues/604). With Michael Catanzaro's help, I was able to narrow down the issue to websites using Application Cache and HTTPS, viewed on WebKit-based browsers.

To make reproducing this bug much easier, I created a simple website that consistently demonstrates the issue: https://mlalkaka.github.io/https-app-cache-bug.html. 

Steps to Reproduce:

1. Navigate to https://mlalkaka.github.io/https-app-cache-bug.html.
2. Verify that the lock icon appears, and that you can actually view the web page's HTTPS 3. certificate.
4. Close the web browser.
5. Open the web browser again.
6. Navigate to https://mlalkaka.github.io/https-app-cache-bug.html again.

Actual Result:

In Epiphany (on Linux), the HTTPS lock icon displays a warning claiming the site is insecure, and you cannot see the HTTPS certificate.

In Safari (on MacOS), the HTTPS lock icon displays as normal, but clicking the icon does not display the HTTPS certificate.

In Google Chrome (on Linux and MacOS, but not on Windows), the HTTPS lock icon converts to the 'info' icon, claims the site is not secure, but it does not explain why, and you cannot see the certificate anymore. I know that Google Chrome technically does not use WebKit anymore, but I thought it was a useful comparison.

Expected Result:

The HTTPS lock icon appears again, and you can still view the HTTPS certificate.

---

This bug may exist when using Service Workers as well; I haven't had a chance to test that yet.

Also, it looks like a similar bug was reported (but only for Safari) back in 2013: https://bugs.webkit.org/show_bug.cgi?id=120513. It looks like that one was more specific to Safari only, and hasn't been touched in six years, so I thought it best to create a more detailed bug report, and one that covers multiple platforms.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190324/62e14456/attachment-0001.html>

More information about the webkit-unassigned mailing list