Created attachment 443346 [details] Patch

Created attachment 443355 [details] Patch

It seems like this has been baked into the GTK API. Can that be removed? Is there a challenge-based way to allow invalid certs in the GTK API like WKNavigationDelegate.didReceiveAuthenticationChallenge?

Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See https://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API

This is used by apps to allow an invalid certificate when the user accepts the risks. We don't have alternative API for this, but even in that case we would need to keep the old api working for backwards compatibility.

Does libsoup have an API that asks at the time of TLS handshake whether the certificate chain should be accepted or not?

Does tlsConnectionAcceptCertificateCallback have to return a bool immediately, or is there an asynchronous version that can ask the UI process? That's what WebKit does on Cocoa platforms.

Yes, the API is synchronous, because the GLib API for that is synchronous too. So we need to make the load fail first, tell the user about it with the button to try again on their own risk and load again after providing the tls certificate as an exception to be allowed.

<rdar://problem/85316802>