<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - [SOUP] Remove SSLPolicyFlags from SoupNetworkSession"
href="https://bugs.webkit.org/show_bug.cgi?id=162906#c5">Comment # 5</a>
on <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - [SOUP] Remove SSLPolicyFlags from SoupNetworkSession"
href="https://bugs.webkit.org/show_bug.cgi?id=162906">bug 162906</a>
from <span class="vcard"><a class="email" href="mailto:cgarcia@igalia.com" title="Carlos Garcia Campos <cgarcia@igalia.com>"> <span class="fn">Carlos Garcia Campos</span></a>
</span></b>
<pre>(In reply to <a href="show_bug.cgi?id=162906#c4">comment #4</a>)
<span class="quote">> Hi Carlos,
>
> this patch is setting SOUP_SESSION_SSL_STRICT to FALSE in constructor and
> removing setSSLPolicy, so is it possible for a user to set it back to TRUE
> later?
> If not, does it look like a security issue?
>
> Thanks!</span >
What user do you mean? All users of that API (GTK+ and EFL ports) were setting setSSLPolicy(SoupNetworkSession::SSLUseSystemCAFile); which sets SOUP_SESSION_SSL_STRICT to FALSE. There isn't any change in behavior in this patch. WE have always set that to FALSE, because we handle SSL errors ourselves in ResourceHandleSoup/NetworkDataTaskSoup. Loads will fail with an error in case of SSL errors even if SOUP_SESSION_SSL_STRICT is set to FALSE.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>