Bug 159176 (CVE-2016-4763)

Summary: WKWebView should ask WKNavigationDelegate about bad ssl certificates
Product: WebKit Reporter: Alex Christensen <achristensen>
Component: New BugsAssignee: Alex Christensen <achristensen>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, commit-queue
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Description Alex Christensen 2016-06-27 15:44:13 PDT 
WKWebView should ask WKNavigationDelegate about bad ssl certificates
Comment 1 Alex Christensen 2016-06-27 17:17:11 PDT 
Created attachment 282189 [details]
Patch
Comment 2 Alex Christensen 2016-06-27 23:36:33 PDT 
Created attachment 282215 [details]
Patch
Comment 3 Brady Eidson 2016-06-28 12:02:14 PDT 
Comment on attachment 282215 [details]
Patch

We should explore why internal clients do something different, and really understand why/if there needs to be a difference at all.
Comment 4 Alex Christensen 2016-06-28 13:13:35 PDT 
MobileSafari and Mac Safari both use _setCanHandleHTTPSServerTrustEvaluation, which means they do not use didReceiveChallenge for server trust authentication.  We should definitely get rid of that SPI, but not right now.
Comment 5 Alex Christensen 2016-06-28 16:11:25 PDT 
Comment on attachment 282215 [details]
Patch

Re-asking for review, even though Brady r-ed the original patch, because of additional information about Safari and MobileSafari.
Comment 6 WebKit Commit Bot 2016-06-29 12:19:47 PDT 
Comment on attachment 282215 [details]
Patch

Clearing flags on attachment: 282215

Committed r202640: <http://trac.webkit.org/changeset/202640>
Comment 7 WebKit Commit Bot 2016-06-29 12:19:50 PDT 
All reviewed patches have been landed.  Closing bug.