We are currently always ignoring all TLS errors unconditionally. We should provide an API to allow change the TLS errors policy to not ignore errors and fail.
Created attachment 178415 [details] Patch
Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See http://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API
I'd be happier if WEBKIT_TLS_ERRORS_POLICY_IGNORE had a name that suggested "the application will handle TLS errors itself, so WebKit doesn't have to" rather than "let's just ignore TLS errors completely! whee!". maybe WEBKIT_TLS_ERRORS_HANDLED_BY_WEBKIT / ..._HANDLED_BY_APPLICATION ?
Maybe WEBKIT_TLS_ERRORS_POLICY_CONTINUE or WEBKIT_TLS_ERRORS_POLICY_LOAD_ANYWAY?
(In reply to comment #3) > I'd be happier if WEBKIT_TLS_ERRORS_POLICY_IGNORE had a name that suggested "the application will handle TLS errors itself, so WebKit doesn't have to" rather than "let's just ignore TLS errors completely! whee!". > > maybe WEBKIT_TLS_ERRORS_HANDLED_BY_WEBKIT / ..._HANDLED_BY_APPLICATION ? IGNORE doesn't mean the app will handle them, but that webkit will ignore the errors, and continue with the load normally, as we currently do. I'll add a new policy ASK to let the app handle the errors in a follow up patch. The idea of the ignore policy is that it doesn't require IPC traffic at all, and ignore is the default policy (for compatibility)
(In reply to comment #5) > The idea of the ignore policy is that it doesn't require IPC traffic at all, and ignore is the default policy (for compatibility) Do we have API guarantees on WK2 yet? Either ASK or FAIL would be a better default...
(In reply to comment #6) > (In reply to comment #5) > > The idea of the ignore policy is that it doesn't require IPC traffic at all, and ignore is the default policy (for compatibility) > > Do we have API guarantees on WK2 yet? Either ASK or FAIL would be a better default... Not for API compatibility, but to not break SSL pages in GTK and EFL, we can make ASK the default from our API and still keep ignore SSL errors the default in webcore.
Committed r138273: <http://trac.webkit.org/changeset/138273>