Bug 201177 - Use WebPageProxy callbacks in case of authentication challenge received from Service Worker
Summary: Use WebPageProxy callbacks in case of authentication challenge received from ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Service Workers (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: youenn fablet
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-08-27 03:12 PDT by youenn fablet
Modified: 2019-10-28 13:27 PDT (History)
5 users (show)

See Also:


Attachments
Patch (32.84 KB, patch)
2019-08-27 06:46 PDT, youenn fablet
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description youenn fablet 2019-08-27 03:12:07 PDT
Use WebPageProxy callbacks in case of authentication challenge received from Service Worker
Comment 1 youenn fablet 2019-08-27 06:46:39 PDT
Created attachment 377338 [details]
Patch
Comment 2 Alex Christensen 2019-08-29 07:28:54 PDT
Comment on attachment 377338 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=377338&action=review

> Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp:325
> +    store->client().didReceiveAuthenticationChallenge(WTFMove(authenticationChallenge));

I think we could remove this now.  Is it still important to allow invalid TLS certs if there's no visible web page with the same origin?  I think we could just add a requirement that if you want to use untrusted certs you have to have an open view.
Comment 3 youenn fablet 2019-08-29 08:01:56 PDT
(In reply to Alex Christensen from comment #2)
> Comment on attachment 377338 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=377338&action=review
> 
> > Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp:325
> > +    store->client().didReceiveAuthenticationChallenge(WTFMove(authenticationChallenge));
> 
> I think we could remove this now.  Is it still important to allow invalid
> TLS certs if there's no visible web page with the same origin?  I think we
> could just add a requirement that if you want to use untrusted certs you
> have to have an open view.

Well, if the web page is not visible, user trust will never proceed although it would if the load was done for the web page. This is in particular the case if user trust was already granted by the application in the past and the web page proxy callback will not trigger any new prompt.
Comment 4 WebKit Commit Bot 2019-08-29 09:19:27 PDT
Comment on attachment 377338 [details]
Patch

Clearing flags on attachment: 377338

Committed r249277: <https://trac.webkit.org/changeset/249277>
Comment 5 WebKit Commit Bot 2019-08-29 09:19:28 PDT
All reviewed patches have been landed.  Closing bug.
Comment 6 Radar WebKit Bug Importer 2019-08-29 09:20:20 PDT
<rdar://problem/54839390>
Comment 7 Alex Christensen 2019-10-28 13:27:59 PDT
Comment on attachment 377338 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=377338&action=review

> Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp:89
> +    if (sourceOrigin)
> +        encoder << *topOrigin;

:(
I'm fixing this.