Skip to content
This repository has been archived by the owner on Mar 25, 2024. It is now read-only.

Deprecate ours HTTPSE in favor of the one bundled in WKWebView #4335

Closed
iccub opened this issue Oct 17, 2021 · 4 comments · Fixed by #4433
Closed

Deprecate ours HTTPSE in favor of the one bundled in WKWebView #4335

iccub opened this issue Oct 17, 2021 · 4 comments · Fixed by #4433
Assignees
@iccub
Labels
enhancement Epic: Retention Epic: Security iOS 15 QA Pass - iPad QA Pass - iPhone X QA Pass - iPhone QA/Yes release-notes/include security
Milestone
1.32.3

Comments

@iccub
Copy link
Collaborator

iccub commented Oct 17, 2021

This flag is enabled by default on iOS 15.
https://developer.apple.com/documentation/webkit/wkwebviewconfiguration/3752243-upgradeknownhoststohttps

We can remove the current https implementation for iOS 15 devices.
There's chances this will be also an option for iOS 14.5, but we have to wait for newer XCode to verify it. That's why I'm putting blocked label
@iccub iccub added enhancement blocked If a ticket is blocked for some reason, if not using a sub-block label, please provide info in issue QA/Yes Epic: Security Epic: Retention labels Oct 17, 2021
@iccub iccub added this to the 1.32.5 milestone Oct 17, 2021
@iccub iccub self-assigned this Oct 17, 2021
@diracdeltas
Copy link
Member

what are known hosts in this case? are they using a list?

https://docs.google.com/document/d/1HnLAluEeHt7xNEo60vxyVzRFi0JQ_t0h_ZVrPXfQR9o/edit should probably be updated with this info

@iccub
Copy link
Collaborator Author

iccub commented Oct 20, 2021

@diracdeltas Apple has zero details for this API, same for webkit source
https://github.com/WebKit/WebKit/blob/main/Source/WebKit/UIProcess/API/Cocoa/WKWebViewConfiguration.h#L134

We can only say we are going to use the same lists as Safari on iOS and other 3rd party browsers

@iccub
Copy link
Collaborator Author

iccub commented Oct 25, 2021
edited

Added formal security review for it here, unfortunately Apple does not provide much info about it
https://github.com/brave/security/issues/632

@iccub iccub removed the blocked If a ticket is blocked for some reason, if not using a sub-block label, please provide info in issue label Oct 30, 2021
iccub added a commit that referenced this issue Nov 1, 2021
@iccub
Fix #4335: Deprecate ours HTTPSE in favor of the one bundled in WKWeb…
de3e84a 
…View.
@iccub iccub mentioned this issue Nov 1, 2021
Merged
7 tasks
iccub added a commit that referenced this issue Nov 1, 2021
@iccub
Fix #4335: Deprecate ours HTTPSE in favor of the one bundled in WKWeb…
9519a6b 
…View.
@iccub iccub added the iOS 15 label Nov 8, 2021
iccub added a commit that referenced this issue Nov 8, 2021
@iccub
Fix #4335: Deprecate ours HTTPSE in favor of the one bundled in WKWeb…
181e825 
…view (#4433)
iccub added a commit that referenced this issue Nov 8, 2021
@iccub
Fix #4335: Deprecate ours HTTPSE in favor of the one bundled in WKWeb…
a3051a0 
…view (#4433)
@iccub iccub modified the milestones: 1.32.5, 1.32.3 Nov 8, 2021
@srirambv
Copy link
Contributor

Verification passed on iPhone XR with iOS 15.1 running 1.32.3(21.11.13.9)

Verification passed on iPad Pro with iOS 15.2 Beta 2 running 1.32.3(21.11.13.9)

@stephendonner stephendonner mentioned this issue Nov 17, 2021
Closed
31 tasks
@srirambv srirambv mentioned this issue Nov 17, 2021
Closed
iccub added a commit that referenced this issue Nov 17, 2021
@iccub
Revert "Fix #4335: Deprecate ours HTTPSE in favor of the one bundled …
7532000 
…in WKWebview (#4433)"

This reverts commit a3051a0.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@iccub iccub

Labels
enhancement Epic: Retention Epic: Security iOS 15 QA Pass - iPad QA Pass - iPhone X QA Pass - iPhone QA/Yes release-notes/include security
Projects
None yet
Milestone
1.32.3
Development

Successfully merging a pull request may close this issue.

Fix #4335: Deprecate ours HTTPSE in favor of the one bundled in WKWeb… brave/brave-ios
3 participants
@diracdeltas @iccub @srirambv