Bug 159176 (CVE-2016-4763)

Summary: WKWebView should ask WKNavigationDelegate about bad ssl certificates
Product: WebKit Reporter: Alex Christensen <achristensen>
Component: New BugsAssignee: Alex Christensen <achristensen>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, commit-queue
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Alex Christensen
Reported 2016-06-27 15:44:13 PDT
WKWebView should ask WKNavigationDelegate about bad ssl certificates
Attachments
Patch (4.68 KB, patch)
2016-06-27 17:17 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (4.58 KB, patch)
2016-06-27 23:36 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Alex Christensen
Comment 1 2016-06-27 17:17:11 PDT
Created attachment 282189 [details] Patch
Alex Christensen
Comment 2 2016-06-27 23:36:33 PDT
Created attachment 282215 [details] Patch
Brady Eidson
Comment 3 2016-06-28 12:02:14 PDT
Comment on attachment 282215 [details] Patch We should explore why internal clients do something different, and really understand why/if there needs to be a difference at all.
Alex Christensen
Comment 4 2016-06-28 13:13:35 PDT
MobileSafari and Mac Safari both use _setCanHandleHTTPSServerTrustEvaluation, which means they do not use didReceiveChallenge for server trust authentication. We should definitely get rid of that SPI, but not right now.
Alex Christensen
Comment 5 2016-06-28 16:11:25 PDT
Comment on attachment 282215 [details] Patch Re-asking for review, even though Brady r-ed the original patch, because of additional information about Safari and MobileSafari.
WebKit Commit Bot
Comment 6 2016-06-29 12:19:47 PDT
Comment on attachment 282215 [details] Patch Clearing flags on attachment: 282215 Committed r202640: <http://trac.webkit.org/changeset/202640>
WebKit Commit Bot
Comment 7 2016-06-29 12:19:50 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.