NetworkCORSPreflightChecker should proceed when having a ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested challenge
<rdar://problem/39987152>
Created attachment 340114 [details] Patch
Testing of this feature would require writing an API test using an HTTP server. It would also require that the certificate would be valid. This patch is also missing the ability to let the certificates be validated by UIProcess when the connection is created by the preflight request.
Comment on attachment 340114 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=340114&action=review This looks correct to me. r=me. > Source/WebKit/ChangeLog:10 > + Previously, we were failing right away which is not right in case preflight is the request triggering the connection. If the issue is that preflight doesn't use credentials, couldn't this be an issue with any of the authentication scheme's needing credentials (e.g., ProtectionSpaceAuthenticationSchemeClientCertificateRequested)? Or is it something special about the behavior of ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested? Looking through the rest of the code, it seems like ServerTrust is handled specially and rejects as you propose here in similar cases.
Thanks for the review. > If the issue is that preflight doesn't use credentials, couldn't this be an > issue with any of the authentication scheme's needing credentials (e.g., > ProtectionSpaceAuthenticationSchemeClientCertificateRequested)? Or is it > something special about the behavior of > ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested? My understanding is that with other authentication schemes, the browser receives a 401. This is then transmitted to the preflight checker which always fail. In the case of ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested, we must react appropriately to the fact that the connection is credential-less.
I still wonder whether we should validate server certificates like we do for regular loads. There is an option to do that within network process, which would be easier to implement although we could consider doing the full path to UIProcess for consistency.
Comment on attachment 340114 [details] Patch Clearing flags on attachment: 340114 Committed r231694: <https://trac.webkit.org/changeset/231694>
All reviewed patches have been landed. Closing bug.