-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move CertificateInfo::containsNonRootSHA1SignedCertificate call from UI to web process #8161
Conversation
EWS run on current version of this PR (hash ba0a1f6) |
auto certificateInfo = valueOrCompute(documentLoader.response().certificateInfo(), [] { | ||
return CertificateInfo(); | ||
}); | ||
hasInsecureContent = hasInsecureContent ? *hasInsecureContent : (certificateInfo.containsNonRootSHA1SignedCertificate() ? HasInsecureContent::Yes : HasInsecureContent::No); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably check with @pvollan that we're OK doing the SecTrustEvaluate calls from the WebProcess in the long term (because of sandboxing reasons).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did. I verified there's already a call to containsNonRootSHA1SignedCertificate in the web process and it hasn't caused any problems. I also verified that this doesn't cause any issues. I think it's because we call response.includeCertificateInfo in NetworkLoad::notifyDidReceiveResponse before sending the SecTrustRef to the web process, so the web process doesn't actually need to do anything that our sandbox would oppose.
β¦UI to web process https://bugs.webkit.org/show_bug.cgi?id=250043 rdar://99324948 Reviewed by Chris Dumez. It calls security framework functions which call SecTrustEvaluateIfNecessary which now warns developers when it's used on the main thread. This warning is a good thing, but many developers are getting confused and thinking that the problem is in their application code, when it's really in WebKit code. To stop the warning when debugging third party apps, move the call to the web process. Also stop sending an unnecessary std::optional. * Source/WebKit/UIProcess/ProvisionalFrameProxy.cpp: (WebKit::ProvisionalFrameProxy::didCommitLoadForFrame): * Source/WebKit/UIProcess/ProvisionalFrameProxy.h: * Source/WebKit/UIProcess/ProvisionalPageProxy.cpp: (WebKit::ProvisionalPageProxy::didCommitLoadForFrame): * Source/WebKit/UIProcess/ProvisionalPageProxy.h: * Source/WebKit/UIProcess/WebFrameProxy.cpp: (WebKit::WebFrameProxy::commitProvisionalFrame): * Source/WebKit/UIProcess/WebFrameProxy.h: * Source/WebKit/UIProcess/WebPageProxy.cpp: (WebKit::WebPageProxy::commitProvisionalPage): (WebKit::WebPageProxy::didCommitLoadForFrame): * Source/WebKit/UIProcess/WebPageProxy.h: * Source/WebKit/UIProcess/WebPageProxy.messages.in: * Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp: (WebKit::WebFrameLoaderClient::dispatchDidCommitLoad): Canonical link: https://commits.webkit.org/258511@main
ba0a1f6
to
6cd18ec
Compare
Committed 258511@main (6cd18ec): https://commits.webkit.org/258511@main Reviewed commits have been landed. Closing PR #8161 and removing active labels. |
6cd18ec
ba0a1f6