<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><span class="vcard"><a class="email" href="mailto:mcatanzaro&#64;igalia.com" title="Michael Catanzaro &lt;mcatanzaro&#64;igalia.com&gt;"> <span class="fn">Michael Catanzaro</span></a>

</span> changed

              <a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - [SOUP] Move global TLS errors handling from ResourceHandle to SoupNetworkSession"

   href="https://bugs.webkit.org/show_bug.cgi?id=162910">bug 162910</a>

        <br>

             <table border="1" cellspacing="0" cellpadding="8">

          <tr>

            <th>What</th>

            <th>Removed</th>

            <th>Added</th>

          </tr>

         <tr>

           <td style="text-align:right;">Attachment #290607 Flags</td>

           <td>review?

           </td>

           <td>review-

           </td>

         </tr></table>

      <p>

        <div>

            <b><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - [SOUP] Move global TLS errors handling from ResourceHandle to SoupNetworkSession"

   href="https://bugs.webkit.org/show_bug.cgi?id=162910#c2">Comment # 2</a>

              on <a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - [SOUP] Move global TLS errors handling from ResourceHandle to SoupNetworkSession"

   href="https://bugs.webkit.org/show_bug.cgi?id=162910">bug 162910</a>

              from <span class="vcard"><a class="email" href="mailto:mcatanzaro&#64;igalia.com" title="Michael Catanzaro &lt;mcatanzaro&#64;igalia.com&gt;"> <span class="fn">Michael Catanzaro</span></a>

</span></b>

        <pre>Comment on <span class=""><a href="attachment.cgi?id=290607&amp;action=diff" name="attach_290607" title="Patch">attachment 290607</a> <a href="attachment.cgi?id=290607&amp;action=edit" title="Patch">[details]</a></span>

Patch

View in context: <a href="https://bugs.webkit.org/attachment.cgi?id=290607&amp;action=review">https://bugs.webkit.org/attachment.cgi?id=290607&amp;action=review</a>

I know this is a preexisting problem, but please fix it first: either use a secure hash algorithm in HostTLSCertificateSet (e.g. SHA-256 from CryptoDigest.h), or else just stop using hashes there and copy the full certificates into the hash table. This is a sufficiently-minor issue that I don't think we need to get a CVE for it, but it needs fixed.

<span class="quote">&gt; Source/WebCore/platform/network/soup/SoupNetworkSession.cpp:67

&gt; +    bool contains(GTlsCertificate* certificate)</span >

Should be const (preexisting issue)

<span class="quote">&gt; Source/WebCore/platform/network/soup/SoupNetworkSession.h:68

&gt; +    static void setShouldIgnoreTLSErrors(bool);

&gt; +    static void checkTLSErrors(SoupRequest*, SoupMessage*, std::function&lt;void (const ResourceError&amp;)&gt;&amp;&amp;);

&gt; +    static void allowSpecificHTTPSCertificateForHost(const CertificateInfo&amp;, const String&amp; host);</span >

Why make these static? Doesn't it defeat the point of moving this code to SoupNetworkSession? I would expect different network sessions to handle these independently. If you were planning to change this in a future patch, it'd be better to do it now by using SoupNetworkSession::defaultSession() in NetworkProcessSoup.cpp, and fix up NetworkProcessSoup.cpp in a future patch.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>