<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - [SOUP] Remove SSLPolicyFlags from SoupNetworkSession"
href="https://bugs.webkit.org/show_bug.cgi?id=162906#c6">Comment # 6</a>
on <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED FIXED - [SOUP] Remove SSLPolicyFlags from SoupNetworkSession"
href="https://bugs.webkit.org/show_bug.cgi?id=162906">bug 162906</a>
from <span class="vcard"><a class="email" href="mailto:ivlev.igor@gmail.com" title="Ihor Ivlev <ivlev.igor@gmail.com>"> <span class="fn">Ihor Ivlev</span></a>
</span></b>
<pre>(In reply to <a href="show_bug.cgi?id=162906#c5">comment #5</a>)
<span class="quote">> (In reply to <a href="show_bug.cgi?id=162906#c4">comment #4</a>)
> > Hi Carlos,
> >
> > this patch is setting SOUP_SESSION_SSL_STRICT to FALSE in constructor and
> > removing setSSLPolicy, so is it possible for a user to set it back to TRUE
> > later?
> > If not, does it look like a security issue?
> >
> > Thanks!
>
> What user do you mean? All users of that API (GTK+ and EFL ports) were
> setting setSSLPolicy(SoupNetworkSession::SSLUseSystemCAFile); which sets
> SOUP_SESSION_SSL_STRICT to FALSE. There isn't any change in behavior in this
> patch. WE have always set that to FALSE, because we handle SSL errors
> ourselves in ResourceHandleSoup/NetworkDataTaskSoup. Loads will fail with an
> error in case of SSL errors even if SOUP_SESSION_SSL_STRICT is set to FALSE.</span >
Thank you for the explanation, sorry I didn't realize we're handling ssl errors in ResourceHandleSoup/NetworkDataTaskSoup.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>