Bug 146155 - Remove treatsSHA1SignedCertificatesAsInsecure from WebPageConfiguration
Summary: Remove treatsSHA1SignedCertificatesAsInsecure from WebPageConfiguration
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC All
: P2 Minor
Assignee: Michael Catanzaro
Depends on:
Reported: 2015-06-19 12:25 PDT by Michael Catanzaro
Modified: 2017-04-24 19:11 PDT (History)
6 users (show)

See Also:

Patch (11.77 KB, patch)
2015-06-19 12:43 PDT, Michael Catanzaro
no flags Details | Formatted Diff | Diff
Patch (11.79 KB, patch)
2015-06-19 12:51 PDT, Michael Catanzaro
no flags Details | Formatted Diff | Diff
Patch (11.51 KB, patch)
2015-06-20 17:08 PDT, Michael Catanzaro
beidson: review-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2015-06-19 12:25:20 PDT
WebPageConfiguration is not a great place for random platform-specific preferences. Currently it has only one such preference,  treatsSHA1SignedCertificatesAsInsecure. This preference will never be used by curl or soup ports (it's simply not possible to get such information about the certificate, and it wouldn't be appropriate for WebKit to warn about certificates that curl or other soup apps are OK with), so it should at least be guarded by #if PLATFORM(COCOA). But WebPageConfiguration is otherwise used to hold a few very important objects, not preferences (except for the WebPreferencesStore::ValueMap), and that is one highly-specific certificate check out of many possible such checks. Let's move this check down to a lower, platform-specific layer.
Comment 1 Michael Catanzaro 2015-06-19 12:43:37 PDT
Created attachment 255215 [details]
Comment 2 Michael Catanzaro 2015-06-19 12:51:36 PDT
Created attachment 255218 [details]
Comment 3 mitz 2015-06-20 08:48:28 PDT
I think a better terminology to use here might involve phrases like “certificate evaluation policy”, “trust evaluation policy”, or “security assessment policy”.
Comment 4 Michael Catanzaro 2015-06-20 09:33:16 PDT
Yes; those are much better than what I came up with.

I also need to update this to apply on top of r185795.
Comment 5 Michael Catanzaro 2015-06-20 17:08:25 PDT
Created attachment 255302 [details]
Comment 6 Michael Catanzaro 2016-01-02 10:41:53 PST
Ping, owners?
Comment 7 Michael Catanzaro 2016-03-26 11:03:39 PDT
Dan, maybe a good time to revisit this?
Comment 8 Brady Eidson 2017-04-24 19:11:46 PDT
Comment on attachment 255302 [details]

This patch has been pending review since 2015 with no recent activity.
It seems unlikely that it would even still apply to trunk in its current form.

Clearing from the review queue.

Feel free to update and resubmit if the patch is still relevant.