148744 – WKWebView should provide SecTrustRef object for main frame

Bug 148744 - WKWebView should provide SecTrustRef object for main frame

Summary: WKWebView should provide SecTrustRef object for main frame

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	WebKit Nightly Build
Hardware:	iPhone / iPad All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2015-09-03 11:28 PDT by Eugene But
Modified:	2015-09-03 17:54 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Test App (25.12 KB, application/zip) 2015-09-03 11:28 PDT, Eugene But	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Eugene But 2015-09-03 11:28:11 PDT

Created attachment 260499 [details]
Test App

When loading a page with invalid SSL certificate, WKWebView provides API to make load/no-load decision, where browser can ask if user wants to accept invalid SSL certificate:
|webView:didReceiveAuthenticationChallenge:completionHandler:| and that API provides SecTrustRef object.

Lets assume that user has decided to load the page with invalid certificate. Now browser wants to show Broken Red SSL Lock icon to keep user informed about the risks. 

The only available API that can be used for server's identity verification is | WKWebView.certificateChain |, however having chain is not enough for cert verification and there is no guarantee that manually constructed SecTrustRef will be the same as one provided via |webView:didReceiveAuthenticationChallenge:completionHandler|.


Attached example shows how browser can keep the user informed about the risks by showing warning text.

Comment 1 Eugene But 2015-09-03 11:28:40 PDT

rdar://22560879