[BUG] ignoreHTTPSErrors ignored in Webkit on MacOS

[divdavem]

System info

• Playwright Version: v1.32.3
• Operating System: macOS 12.6.5
• Browser: WebKit
• Other info:
  The problem was also happening on Windows (with WebKit) with version 1.31.0 of Playwright. This seems to have been fixed in the latest version of Playwright.
  Here is another issue similar to this one: [BUG] ignoreHTTPSErrors flag is being ignored when using WebKit on Linux through https proxy #9466

Source code

• I provided exact source code that allows reproducing the issue locally.

Link to the GitHub repository with the repro

https://github.com/divdavem/kassette-playground

Steps

Clone repository:

git clone https://github.com/divdavem/kassette-playground
cd kassette-playground

Install dependencies

npm install

Run tests with proxy

npm run test:proxy

The proxy used in this scenario is kassette. It plays the role of a man-in-the-middle, it provides a certificate generated on the fly that is not signed by a recognized certificate authority. However, as the test uses ignoreHTTPSErrors, this https error should be ignored.

Expected

Tests succeed in all browsers on all platforms.

Actual

Tests only fail with Webkit on MacOS, cf the logs on GitHub CI

In the trace viewer, it is possible to see the following message: An SSL error has occurred and a secure connection to the server cannot be made.

[dgozman]

I can repro and see the following in the output:

[WebServer] Socket error
Error: 4450600320:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_srvr.c:1714:

    at initRead (node:_tls_wrap:456:25)
    at processTicksAndRejections (node:internal/process/task_queues:83:21)

This looks like an error happening in the proxy itself that WebKit then shows as "SSL error". Since ignoreHTTPSErrors only masks SSL checks, it cannot recover from the broken protocol. Perhaps WebKit sends different network traffic compared to other browsers, and proxy cannot handle it?

Unfortunately, digging further is complicated and most likely ends up out of scope of Playwright project. I'd recommend to inspect the actual network traffic sent from the browser to the proxy and double check that everything is as expected. Let me know what you think.

[divdavem]

Does Webkit use any kind of public key or certificate pinning on MacOS?
It looks like the error is linked with some domain names.
In my example, it does not happen when I change the https URL with this commit:
divdavem/kassette-playground@5cf8607

[divdavem]

@dgozman Do you understand why the unsupported protocol error happens in Webkit on MacOS for some domain names and not for others?
With cdn.jsdelivr.net the error happens, but not for fonts.googleapis.com?
In both cases, the proxy intercepts the request the same way.

[aslushnikov]

@divdavem on Mac, WebKit uses MacOS network stack that is closed source, so we don't have much insights into it. I assume that Safari would exhibit the same behavior; could you please check if this is the case?

[aslushnikov]

It doesn't look like we can help here much, so I'll have to close this for now. Feel free to file a new issue if you think we can be helpful to you!