Oxide

WebView.securityStatus.securityLevel indicates everything is normal if a subresource certificate error is allowed for a resource from a different domain from the main document

Bug #1368385 reported by Chris Coulson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Oxide
Fix Released
Critical
Chris Coulson
Oxide branch-1.3
1.2
Fix Released
Critical
Chris Coulson
Oxide 1.2.1

Bug Description

I caught this whilst writing unit tests. If a secure site loads a resource from a different domain but that resource load comes with an invalid certificate, WebView.onCertificateError will fire with the isSubresource property set to true. If the application then allow's this, WebView.securityStatus.securityLevel does not indicate a degraded security level as expected.

It *does* work if the subresource is from the same domain as the main document, as that host is marked as having ran insecure content.

See original description
Chris Coulson (chrisccoulson)
Changed in oxide:
importance: Undecided → Critical
status: New → Triaged
milestone: none → branch-1.3
assignee: nobody → Chris Coulson (chrisccoulson)
description: updated
Chris Coulson (chrisccoulson)
Changed in oxide:
status: Triaged → In Progress
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

Fixed with http://bazaar.launchpad.net/~oxide-developers/oxide/oxide.trunk/revision/740

http://bazaar.launchpad.net/~oxide-developers/oxide/oxide.trunk/revision/739 is also needed for backporting to 1.2.

Changed in oxide:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.