Bug 146155

Summary: Remove treatsSHA1SignedCertificatesAsInsecure from WebPageConfiguration
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: WebKit2Assignee: Michael Catanzaro <mcatanzaro>
Status: NEW    
Severity: Minor CC: andersca, beidson, cgarcia, mcatanzaro, mitz, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=142461
Attachments:
Description Flags
Patch
none
Patch
none
Patch beidson: review-

Michael Catanzaro
Reported 2015-06-19 12:25:20 PDT
WebPageConfiguration is not a great place for random platform-specific preferences. Currently it has only one such preference, treatsSHA1SignedCertificatesAsInsecure. This preference will never be used by curl or soup ports (it's simply not possible to get such information about the certificate, and it wouldn't be appropriate for WebKit to warn about certificates that curl or other soup apps are OK with), so it should at least be guarded by #if PLATFORM(COCOA). But WebPageConfiguration is otherwise used to hold a few very important objects, not preferences (except for the WebPreferencesStore::ValueMap), and that is one highly-specific certificate check out of many possible such checks. Let's move this check down to a lower, platform-specific layer.
Attachments
Patch (11.77 KB, patch)
2015-06-19 12:43 PDT, Michael Catanzaro 		no flags
DetailsFormatted DiffDiff
Patch (11.79 KB, patch)
2015-06-19 12:51 PDT, Michael Catanzaro 		no flags
DetailsFormatted DiffDiff
Patch (11.51 KB, patch)
2015-06-20 17:08 PDT, Michael Catanzaro 		beidson: review-
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2015-06-19 12:43:37 PDT
Created attachment 255215 [details] Patch
Michael Catanzaro
Comment 2 2015-06-19 12:51:36 PDT
Created attachment 255218 [details] Patch
mitz
Comment 3 2015-06-20 08:48:28 PDT
I think a better terminology to use here might involve phrases like “certificate evaluation policy”, “trust evaluation policy”, or “security assessment policy”.
Michael Catanzaro
Comment 4 2015-06-20 09:33:16 PDT
Yes; those are much better than what I came up with. I also need to update this to apply on top of r185795.
Michael Catanzaro
Comment 5 2015-06-20 17:08:25 PDT
Created attachment 255302 [details] Patch
Michael Catanzaro
Comment 6 2016-01-02 10:41:53 PST
Ping, owners?
Michael Catanzaro
Comment 7 2016-03-26 11:03:39 PDT
Dan, maybe a good time to revisit this?
Brady Eidson
Comment 8 2017-04-24 19:11:46 PDT
Comment on attachment 255302 [details] Patch This patch has been pending review since 2015 with no recent activity. It seems unlikely that it would even still apply to trunk in its current form. Clearing from the review queue. Feel free to update and resubmit if the patch is still relevant.
Note You need to log in before you can comment on or make changes to this bug.