<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - WKWebView should provide SecTrustRef object for main frame"

   href="https://bugs.webkit.org/show_bug.cgi?id=148744">148744</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>WKWebView should provide SecTrustRef object for main frame

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>iOS

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebKit2

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>eugenebut&#64;chromium.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=260499" name="attach_260499" title="Test App">attachment 260499</a> <a href="attachment.cgi?id=260499&amp;action=edit" title="Test App">[details]</a></span>

Test App

When loading a page with invalid SSL certificate, WKWebView provides API to make load/no-load decision, where browser can ask if user wants to accept invalid SSL certificate:

|webView:didReceiveAuthenticationChallenge:completionHandler:| and that API provides SecTrustRef object.

Lets assume that user has decided to load the page with invalid certificate. Now browser wants to show Broken Red SSL Lock icon to keep user informed about the risks. 

The only available API that can be used for server's identity verification is | WKWebView.certificateChain |, however having chain is not enough for cert verification and there is no guarantee that manually constructed SecTrustRef will be the same as one provided via |webView:didReceiveAuthenticationChallenge:completionHandler|.

Attached example shows how browser can keep the user informed about the risks by showing warning text.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>