Bug 148744

Summary:

WKWebView should provide SecTrustRef object for main frame

Product:

WebKit

Reporter:

Eugene But <eugenebut>

Component:

WebKit2

Assignee:

Nobody <webkit-unassigned>

Status:

NEW

Severity:

Normal

CC:

sleroux, stefan, stuartmorgan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

iPhone / iPad

OS:

All

Attachments:

Description	Flags
Test App	none

Eugene But

Reported 2015-09-03 11:28:11 PDT

Created attachment 260499 [details] Test App When loading a page with invalid SSL certificate, WKWebView provides API to make load/no-load decision, where browser can ask if user wants to accept invalid SSL certificate: |webView:didReceiveAuthenticationChallenge:completionHandler:| and that API provides SecTrustRef object. Lets assume that user has decided to load the page with invalid certificate. Now browser wants to show Broken Red SSL Lock icon to keep user informed about the risks. The only available API that can be used for server's identity verification is | WKWebView.certificateChain |, however having chain is not enough for cert verification and there is no guarantee that manually constructed SecTrustRef will be the same as one provided via |webView:didReceiveAuthenticationChallenge:completionHandler|. Attached example shows how browser can keep the user informed about the risks by showing warning text.

Attachments
Test App (25.12 KB, application/zip) 2015-09-03 11:28 PDT, Eugene But	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Eugene But

Comment 1 2015-09-03 11:28:40 PDT

rdar://22560879

Note You need to log in before you can comment on or make changes to this bug.