Diff
Modified: trunk/Source/WebCore/PAL/ChangeLog (255460 => 255461)
--- trunk/Source/WebCore/PAL/ChangeLog 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebCore/PAL/ChangeLog 2020-01-30 22:53:22 UTC (rev 255461)
@@ -1,3 +1,12 @@
+2020-01-30 Alex Christensen <achristen...@webkit.org>
+
+ Add WKNavigationDelegate SPI to disable TLS 1.0 and 1.1
+ https://bugs.webkit.org/show_bug.cgi?id=206979
+
+ Reviewed by Brady Eidson.
+
+ * pal/spi/cf/CFNetworkSPI.h:
+
2020-01-30 Jonathan Bedard <jbed...@apple.com>
PAL: Remove old iOS version macros
Modified: trunk/Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h (255460 => 255461)
--- trunk/Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -108,6 +108,10 @@
#if defined(__OBJC__)
+@interface NSURLSessionTask ()
+@property (readonly, retain) NSURLSessionTaskMetrics* _incompleteTaskMetrics;
+@end
+
@interface NSURLCache ()
- (CFURLCacheRef)_CFURLCache;
@end
@@ -400,6 +404,7 @@
@interface NSURLSessionTask ()
- (void)_setExplicitCookieStorage:(CFHTTPCookieStorageRef)storage;
+@property (readonly) SSLProtocol _TLSNegotiatedProtocolVersion;
@end
#endif // defined(__OBJC__)
Modified: trunk/Source/WebKit/ChangeLog (255460 => 255461)
--- trunk/Source/WebKit/ChangeLog 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/ChangeLog 2020-01-30 22:53:22 UTC (rev 255461)
@@ -1,3 +1,64 @@
+2020-01-30 Alex Christensen <achristen...@webkit.org>
+
+ Add WKNavigationDelegate SPI to disable TLS 1.0 and 1.1
+ https://bugs.webkit.org/show_bug.cgi?id=206979
+
+ Reviewed by Brady Eidson.
+
+ * NetworkProcess/NetworkCORSPreflightChecker.cpp:
+ (WebKit::NetworkCORSPreflightChecker::didReceiveChallenge):
+ * NetworkProcess/NetworkCORSPreflightChecker.h:
+ * NetworkProcess/NetworkDataTask.h:
+ * NetworkProcess/NetworkLoad.cpp:
+ (WebKit::NetworkLoad::didReceiveChallenge):
+ * NetworkProcess/NetworkLoad.h:
+ * NetworkProcess/NetworkProcessCreationParameters.cpp:
+ (WebKit::NetworkProcessCreationParameters::encode const):
+ (WebKit::NetworkProcessCreationParameters::decode):
+ * NetworkProcess/NetworkProcessCreationParameters.h:
+ * NetworkProcess/NetworkSessionCreationParameters.cpp:
+ (WebKit::NetworkSessionCreationParameters::encode const):
+ (WebKit::NetworkSessionCreationParameters::decode):
+ * NetworkProcess/NetworkSessionCreationParameters.h:
+ * NetworkProcess/PingLoad.cpp:
+ (WebKit::PingLoad::didReceiveChallenge):
+ * NetworkProcess/PingLoad.h:
+ * NetworkProcess/cocoa/NetworkDataTaskCocoa.h:
+ * NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
+ (WebKit::NetworkDataTaskCocoa::NetworkDataTaskCocoa):
+ (WebKit::NetworkDataTaskCocoa::didReceiveChallenge):
+ (WebKit::NetworkDataTaskCocoa::willPerformHTTPRedirection):
+ * NetworkProcess/cocoa/NetworkProcessCocoa.mm:
+ (WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):
+ * NetworkProcess/cocoa/NetworkSessionCocoa.h:
+ * NetworkProcess/cocoa/NetworkSessionCocoa.mm:
+ (processServerTrustEvaluation):
+ (-[WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:]):
+ (WebKit::NetworkSessionCocoa::NetworkSessionCocoa):
+ (WebKit::NetworkSessionCocoa::continueDidReceiveChallenge):
+ * Shared/Authentication/AuthenticationManager.cpp:
+ (WebKit::AuthenticationManager::didReceiveAuthenticationChallenge):
+ * Shared/Authentication/AuthenticationManager.h:
+ * UIProcess/API/APINavigationClient.h:
+ (API::NavigationClient::shouldAllowLegacyTLS):
+ * UIProcess/API/Cocoa/WKNavigationDelegatePrivate.h:
+ * UIProcess/Cocoa/NavigationState.h:
+ * UIProcess/Cocoa/NavigationState.mm:
+ (WebKit::NavigationState::setNavigationDelegate):
+ (WebKit::systemAllowsLegacyTLSFor):
+ (WebKit::NavigationState::NavigationClient::shouldAllowLegacyTLS):
+ * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+ (WebKit::WebProcessPool::platformInitializeNetworkProcess):
+ * UIProcess/Network/NetworkProcessProxy.cpp:
+ (WebKit::NetworkProcessProxy::didReceiveAuthenticationChallenge):
+ * UIProcess/Network/NetworkProcessProxy.h:
+ * UIProcess/Network/NetworkProcessProxy.messages.in:
+ * UIProcess/WebPageProxy.cpp:
+ * UIProcess/WebPageProxy.h:
+ * UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm:
+ (WebKit::WebsiteDataStore::parameters):
+ * UIProcess/WebsiteData/WebsiteDataStoreConfiguration.h:
+
2020-01-30 Tim Horton <timothy_hor...@apple.com>
Can still get stuck after swipe backwards with a slow server, even after r254552
Modified: trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp 2020-01-30 22:53:22 UTC (rev 255461)
@@ -88,7 +88,7 @@
m_completionCallback(ResourceError { errorDomainWebKitInternal, 0, m_parameters.originalRequest.url(), "Preflight response is not successful"_s, ResourceError::Type::AccessControl });
}
-void NetworkCORSPreflightChecker::didReceiveChallenge(WebCore::AuthenticationChallenge&& challenge, ChallengeCompletionHandler&& completionHandler)
+void NetworkCORSPreflightChecker::didReceiveChallenge(WebCore::AuthenticationChallenge&& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler)
{
RELEASE_LOG_IF_ALLOWED("didReceiveChallenge, authentication scheme: %u", challenge.protectionSpace().authenticationScheme());
@@ -101,7 +101,7 @@
return;
}
- m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(m_parameters.sessionID, m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, WTFMove(completionHandler));
+ m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(m_parameters.sessionID, m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, negotiatedLegacyTLS, WTFMove(completionHandler));
}
void NetworkCORSPreflightChecker::didReceiveResponse(WebCore::ResourceResponse&& response, ResponseCompletionHandler&& completionHandler)
Modified: trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.h (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -68,7 +68,7 @@
private:
void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&&) final;
- void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&) final;
+ void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&) final;
void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&) final;
void didReceiveData(Ref<WebCore::SharedBuffer>&&) final;
void didCompleteWithError(const WebCore::ResourceError&, const WebCore::NetworkLoadMetrics&) final;
Modified: trunk/Source/WebKit/NetworkProcess/NetworkDataTask.h (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/NetworkDataTask.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/NetworkDataTask.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -52,6 +52,7 @@
class NetworkSession;
class PendingDownload;
enum class AuthenticationChallengeDisposition : uint8_t;
+enum class NegotiatedLegacyTLS : bool;
using RedirectCompletionHandler = CompletionHandler<void(WebCore::ResourceRequest&&)>;
using ChallengeCompletionHandler = CompletionHandler<void(AuthenticationChallengeDisposition, const WebCore::Credential&)>;
@@ -60,7 +61,7 @@
class NetworkDataTaskClient {
public:
virtual void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&&) = 0;
- virtual void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&) = 0;
+ virtual void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&) = 0;
virtual void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&) = 0;
virtual void didReceiveData(Ref<WebCore::SharedBuffer>&&) = 0;
virtual void didCompleteWithError(const WebCore::ResourceError&, const WebCore::NetworkLoadMetrics&) = 0;
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoad.cpp (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoad.cpp 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoad.cpp 2020-01-30 22:53:22 UTC (rev 255461)
@@ -187,7 +187,7 @@
m_client.get().willSendRedirectedRequest(WTFMove(oldRequest), WTFMove(request), WTFMove(redirectResponse));
}
-void NetworkLoad::didReceiveChallenge(AuthenticationChallenge&& challenge, ChallengeCompletionHandler&& completionHandler)
+void NetworkLoad::didReceiveChallenge(AuthenticationChallenge&& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler)
{
m_client.get().didReceiveChallenge(challenge);
@@ -203,7 +203,7 @@
if (auto* pendingDownload = m_task->pendingDownload())
m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(*pendingDownload, challenge, WTFMove(completionHandler));
else
- m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(m_task->sessionID(), m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, WTFMove(completionHandler));
+ m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(m_task->sessionID(), m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, negotiatedLegacyTLS, WTFMove(completionHandler));
}
void NetworkLoad::didReceiveResponse(ResourceResponse&& response, ResponseCompletionHandler&& completionHandler)
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoad.h (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoad.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoad.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -73,7 +73,7 @@
// NetworkDataTaskClient
void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&&) final;
- void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&) final;
+ void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&) final;
void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&) final;
void didReceiveData(Ref<WebCore::SharedBuffer>&&) final;
void didCompleteWithError(const WebCore::ResourceError&, const WebCore::NetworkLoadMetrics&) final;
Modified: trunk/Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.cpp (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.cpp 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.cpp 2020-01-30 22:53:22 UTC (rev 255461)
@@ -77,7 +77,6 @@
encoder << enableAdClickAttributionDebugMode;
encoder << hstsStorageDirectory;
encoder << hstsStorageDirectoryExtensionHandle;
- encoder << enableLegacyTLS;
}
bool NetworkProcessCreationParameters::decode(IPC::Decoder& decoder, NetworkProcessCreationParameters& result)
@@ -179,9 +178,6 @@
if (!decoder.decode(result.hstsStorageDirectoryExtensionHandle))
return false;
-
- if (!decoder.decode(result.enableLegacyTLS))
- return false;
return true;
}
Modified: trunk/Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.h (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -97,7 +97,6 @@
bool enableAdClickAttributionDebugMode { false };
String hstsStorageDirectory;
SandboxExtension::Handle hstsStorageDirectoryExtensionHandle;
- bool enableLegacyTLS { false };
};
} // namespace WebKit
Modified: trunk/Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.cpp (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.cpp 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.cpp 2020-01-30 22:53:22 UTC (rev 255461)
@@ -51,7 +51,6 @@
encoder << loadThrottleLatency;
encoder << httpProxy;
encoder << httpsProxy;
- encoder << enableLegacyTLS;
#endif
#if USE(SOUP)
encoder << cookiePersistentStoragePath;
@@ -138,11 +137,6 @@
decoder >> httpsProxy;
if (!httpsProxy)
return WTF::nullopt;
-
- Optional<bool> enableLegacyTLS;
- decoder >> enableLegacyTLS;
- if (!enableLegacyTLS)
- return WTF::nullopt;
#endif
#if USE(SOUP)
@@ -288,7 +282,6 @@
, WTFMove(*loadThrottleLatency)
, WTFMove(*httpProxy)
, WTFMove(*httpsProxy)
- , WTFMove(*enableLegacyTLS)
#endif
#if USE(SOUP)
, WTFMove(*cookiePersistentStoragePath)
Modified: trunk/Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.h (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -70,7 +70,6 @@
Seconds loadThrottleLatency;
URL httpProxy;
URL httpsProxy;
- bool enableLegacyTLS { false };
#endif
#if USE(SOUP)
String cookiePersistentStoragePath;
Modified: trunk/Source/WebKit/NetworkProcess/PingLoad.cpp (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/PingLoad.cpp 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/PingLoad.cpp 2020-01-30 22:53:22 UTC (rev 255461)
@@ -146,11 +146,11 @@
});
}
-void PingLoad::didReceiveChallenge(AuthenticationChallenge&& challenge, ChallengeCompletionHandler&& completionHandler)
+void PingLoad::didReceiveChallenge(AuthenticationChallenge&& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler)
{
RELEASE_LOG_IF_ALLOWED("didReceiveChallenge");
if (challenge.protectionSpace().authenticationScheme() == ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested) {
- m_networkLoadChecker->networkProcess().authenticationManager().didReceiveAuthenticationChallenge(m_sessionID, m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, WTFMove(completionHandler));
+ m_networkLoadChecker->networkProcess().authenticationManager().didReceiveAuthenticationChallenge(m_sessionID, m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, negotiatedLegacyTLS, WTFMove(completionHandler));
return;
}
auto weakThis = makeWeakPtr(*this);
Modified: trunk/Source/WebKit/NetworkProcess/PingLoad.h (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/PingLoad.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/PingLoad.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -52,7 +52,7 @@
const URL& currentURL() const;
void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&&) final;
- void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&) final;
+ void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&) final;
void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&) final;
void didReceiveData(Ref<WebCore::SharedBuffer>&&) final;
void didCompleteWithError(const WebCore::ResourceError&, const WebCore::NetworkLoadMetrics&) final;
Modified: trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.h (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -52,7 +52,7 @@
using TaskIdentifier = uint64_t;
void didSendData(uint64_t totalBytesSent, uint64_t totalBytesExpectedToSend);
- void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&);
+ void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&);
void didCompleteWithError(const WebCore::ResourceError&, const WebCore::NetworkLoadMetrics&);
void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&);
void didReceiveData(Ref<WebCore::SharedBuffer>&&);
Modified: trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm 2020-01-30 22:53:22 UTC (rev 255461)
@@ -52,13 +52,6 @@
#import <CFNetwork/CFNSURLConnection.h>
#endif
-#if __has_include(<WebKitAdditions/NetworkDataTaskCocoaAdditions.h>)
-#include <WebKitAdditions/NetworkDataTaskCocoaAdditions.h>
-#else
-#define NETWORK_DATA_TASK_COCOA_ADDITIONS_1
-#define NETWORK_DATA_TASK_COCOA_ADDITIONS_2
-#endif
-
#if HAVE(OS_SIGNPOST)
#import <os/signpost.h>
@@ -285,8 +278,6 @@
applySniffingPoliciesAndBindRequestToInferfaceIfNeeded(nsRequest, shouldContentSniff == WebCore::ContentSniffingPolicy::SniffContent && !url.isLocalFile(), shouldContentEncodingSniff == WebCore::ContentEncodingSniffingPolicy::Sniff);
m_task = [m_sessionWrapper.session dataTaskWithRequest:nsRequest];
-
- NETWORK_DATA_TASK_COCOA_ADDITIONS_1;
BEGIN_SIGNPOST(m_task, "%{public}s pri: %f preconnect: %d", url.string().ascii().data(), toNSURLSessionTaskPriority(request.priority()), shouldPreconnectOnly == PreconnectOnly::Yes);
@@ -348,7 +339,7 @@
m_client->didSendData(totalBytesSent, totalBytesExpectedToSend);
}
-void NetworkDataTaskCocoa::didReceiveChallenge(WebCore::AuthenticationChallenge&& challenge, ChallengeCompletionHandler&& completionHandler)
+void NetworkDataTaskCocoa::didReceiveChallenge(WebCore::AuthenticationChallenge&& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler)
{
EMIT_SIGNPOST(m_task, "received challenge");
@@ -356,7 +347,7 @@
return;
if (m_client)
- m_client->didReceiveChallenge(WTFMove(challenge), WTFMove(completionHandler));
+ m_client->didReceiveChallenge(WTFMove(challenge), negotiatedLegacyTLS, WTFMove(completionHandler));
else {
ASSERT_NOT_REACHED();
completionHandler(AuthenticationChallengeDisposition::PerformDefaultHandling, { });
@@ -460,9 +451,6 @@
return completionHandler({ });
if (!request.isNull())
restrictRequestReferrerToOriginIfNeeded(request);
-
- NETWORK_DATA_TASK_COCOA_ADDITIONS_2;
-
completionHandler(WTFMove(request));
});
else {
Modified: trunk/Source/WebKit/NetworkProcess/cocoa/NetworkProcessCocoa.mm (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/cocoa/NetworkProcessCocoa.mm 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/cocoa/NetworkProcessCocoa.mm 2020-01-30 22:53:22 UTC (rev 255461)
@@ -70,8 +70,6 @@
void NetworkProcess::platformInitializeNetworkProcessCocoa(const NetworkProcessCreationParameters& parameters)
{
- WebCore::SocketStreamHandleImpl::setLegacyTLSEnabled(parameters.enableLegacyTLS);
-
WebCore::setApplicationBundleIdentifier(parameters.uiProcessBundleIdentifier);
WebCore::setApplicationSDKVersion(parameters.uiProcessSDKVersion);
Modified: trunk/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.h (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -45,6 +45,7 @@
namespace WebKit {
+enum class NegotiatedLegacyTLS : bool;
class LegacyCustomProtocolManager;
class NetworkSessionCocoa;
@@ -78,7 +79,7 @@
static bool allowsSpecificHTTPSCertificateForHost(const WebCore::AuthenticationChallenge&);
- void continueDidReceiveChallenge(SessionWrapper&, const WebCore::AuthenticationChallenge&, NetworkDataTaskCocoa::TaskIdentifier, NetworkDataTaskCocoa*, CompletionHandler<void(WebKit::AuthenticationChallengeDisposition, const WebCore::Credential&)>&&);
+ void continueDidReceiveChallenge(SessionWrapper&, const WebCore::AuthenticationChallenge&, NegotiatedLegacyTLS, NetworkDataTaskCocoa::TaskIdentifier, NetworkDataTaskCocoa*, CompletionHandler<void(WebKit::AuthenticationChallengeDisposition, const WebCore::Credential&)>&&);
SessionWrapper& sessionWrapperForDownloads() { return m_sessionWithCredentialStorage; }
Modified: trunk/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm 2020-01-30 22:53:22 UTC (rev 255461)
@@ -596,9 +596,9 @@
}
#if HAVE(CFNETWORK_NSURLSESSION_STRICTRUSTEVALUATE)
-static inline void processServerTrustEvaluation(NetworkSessionCocoa *session, SessionWrapper& sessionWrapper, NSURLAuthenticationChallenge *challenge, NetworkDataTaskCocoa::TaskIdentifier taskIdentifier, NetworkDataTaskCocoa* networkDataTask, CompletionHandler<void(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential)>&& completionHandler)
+static inline void processServerTrustEvaluation(NetworkSessionCocoa& session, SessionWrapper& sessionWrapper, NSURLAuthenticationChallenge *challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, NetworkDataTaskCocoa::TaskIdentifier taskIdentifier, NetworkDataTaskCocoa* networkDataTask, CompletionHandler<void(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential)>&& completionHandler)
{
- session->continueDidReceiveChallenge(sessionWrapper, challenge, taskIdentifier, networkDataTask, [completionHandler = WTFMove(completionHandler), secTrust = retainPtr(challenge.protectionSpace.serverTrust)] (WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable {
+ session.continueDidReceiveChallenge(sessionWrapper, challenge, negotiatedLegacyTLS, taskIdentifier, networkDataTask, [completionHandler = WTFMove(completionHandler), secTrust = retainPtr(challenge.protectionSpace.serverTrust)] (WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable {
// FIXME: UIProcess should send us back non nil credentials but the credential IPC encoder currently only serializes ns credentials for username/password.
if (disposition == WebKit::AuthenticationChallengeDisposition::UseCredential && !credential.nsCredential()) {
completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust: secTrust.get()]);
@@ -628,16 +628,32 @@
return;
}
+ NegotiatedLegacyTLS negotiatedLegacyTLS = NegotiatedLegacyTLS::No;
+
if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
if (NetworkSessionCocoa::allowsSpecificHTTPSCertificateForHost(challenge))
return completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
+#if HAVE(TLS_PROTOCOL_VERSION_T)
+ NSURLSessionTaskTransactionMetrics *metrics = task._incompleteTaskMetrics.transactionMetrics.lastObject;
+ auto tlsVersion = (tls_protocol_version_t)metrics.negotiatedTLSProtocolVersion.unsignedShortValue;
+ if (tlsVersion == tls_protocol_version_TLSv10 || tlsVersion == tls_protocol_version_TLSv11)
+ negotiatedLegacyTLS = NegotiatedLegacyTLS::Yes;
+#endif
+ ALLOW_DEPRECATED_DECLARATIONS_BEGIN
+ if (negotiatedLegacyTLS == NegotiatedLegacyTLS::No && [task respondsToSelector:@selector(_TLSNegotiatedProtocolVersion)]) {
+ SSLProtocol tlsVersion = [task _TLSNegotiatedProtocolVersion];
+ if (tlsVersion == kTLSProtocol11 || tlsVersion == kTLSProtocol1)
+ negotiatedLegacyTLS = NegotiatedLegacyTLS::Yes;
+ }
+ ALLOW_DEPRECATED_DECLARATIONS_END
+
// Handle server trust evaluation at platform-level if requested, for performance reasons and to use ATS defaults.
- if (sessionCocoa->fastServerTrustEvaluationEnabled()) {
+ if (sessionCocoa->fastServerTrustEvaluationEnabled() && negotiatedLegacyTLS == NegotiatedLegacyTLS::No) {
#if HAVE(CFNETWORK_NSURLSESSION_STRICTRUSTEVALUATE)
auto* networkDataTask = [self existingTask:task];
ASSERT(networkDataTask);
- auto decisionHandler = makeBlockPtr([weakSelf = WeakObjCPtr<WKNetworkSessionDelegate>(self), sessionCocoa = makeWeakPtr(sessionCocoa), completionHandler = makeBlockPtr(completionHandler), taskIdentifier, networkDataTask = RefPtr<NetworkDataTaskCocoa>(networkDataTask)](NSURLAuthenticationChallenge *challenge, OSStatus trustResult) mutable {
+ auto decisionHandler = makeBlockPtr([weakSelf = WeakObjCPtr<WKNetworkSessionDelegate>(self), sessionCocoa = makeWeakPtr(sessionCocoa), completionHandler = makeBlockPtr(completionHandler), taskIdentifier, networkDataTask = makeRefPtr(networkDataTask), negotiatedLegacyTLS](NSURLAuthenticationChallenge *challenge, OSStatus trustResult) mutable {
auto strongSelf = weakSelf.get();
if (!strongSelf)
return completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
@@ -647,7 +663,7 @@
completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
return;
}
- processServerTrustEvaluation(session, *strongSelf->_sessionWrapper, challenge, taskIdentifier, task.get(), WTFMove(completionHandler));
+ processServerTrustEvaluation(*session, *strongSelf->_sessionWrapper, challenge, negotiatedLegacyTLS, taskIdentifier, task.get(), WTFMove(completionHandler));
});
[NSURLSession _strictTrustEvaluate:challenge queue:[NSOperationQueue mainQueue].underlyingQueue completionHandler:decisionHandler.get()];
return;
@@ -656,7 +672,7 @@
#endif
}
}
- sessionCocoa->continueDidReceiveChallenge(*_sessionWrapper, challenge, taskIdentifier, [self existingTask:task], [completionHandler = makeBlockPtr(completionHandler)] (WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable {
+ sessionCocoa->continueDidReceiveChallenge(*_sessionWrapper, challenge, negotiatedLegacyTLS, taskIdentifier, [self existingTask:task], [completionHandler = makeBlockPtr(completionHandler)] (WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable {
completionHandler(toNSURLSessionAuthChallengeDisposition(disposition), credential.nsCredential());
});
}
@@ -1019,14 +1035,6 @@
NSURLSessionConfiguration *configuration = configurationForSessionID(m_sessionID);
- if (!parameters.enableLegacyTLS) {
-#if HAVE(TLS_PROTOCOL_VERSION_T)
- configuration.TLSMinimumSupportedProtocolVersion = tls_protocol_version_TLSv12;
-#else
- configuration.TLSMinimumSupportedProtocol = kTLSProtocol12;
-#endif
- }
-
#if HAVE(APP_SSO)
configuration._preventsAppSSO = true;
#endif
@@ -1297,7 +1305,7 @@
return certificatesMatch(trust.get(), challenge.nsURLAuthenticationChallenge().protectionSpace.serverTrust);
}
-void NetworkSessionCocoa::continueDidReceiveChallenge(SessionWrapper& sessionWrapper, const WebCore::AuthenticationChallenge& challenge, NetworkDataTaskCocoa::TaskIdentifier taskIdentifier, NetworkDataTaskCocoa* networkDataTask, CompletionHandler<void(WebKit::AuthenticationChallengeDisposition, const WebCore::Credential&)>&& completionHandler)
+void NetworkSessionCocoa::continueDidReceiveChallenge(SessionWrapper& sessionWrapper, const WebCore::AuthenticationChallenge& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, NetworkDataTaskCocoa::TaskIdentifier taskIdentifier, NetworkDataTaskCocoa* networkDataTask, CompletionHandler<void(WebKit::AuthenticationChallengeDisposition, const WebCore::Credential&)>&& completionHandler)
{
if (!networkDataTask) {
#if HAVE(NSURLSESSION_WEBSOCKET)
@@ -1349,7 +1357,7 @@
#endif
completionHandler(disposition, credential);
};
- networkDataTask->didReceiveChallenge(WTFMove(authenticationChallenge), WTFMove(challengeCompletionHandler));
+ networkDataTask->didReceiveChallenge(WTFMove(authenticationChallenge), negotiatedLegacyTLS, WTFMove(challengeCompletionHandler));
}
DMFWebsitePolicyMonitor *NetworkSessionCocoa::deviceManagementPolicyMonitor()
Modified: trunk/Source/WebKit/NetworkProcess/curl/NetworkDataTaskCurl.cpp (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/curl/NetworkDataTaskCurl.cpp 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/curl/NetworkDataTaskCurl.cpp 2020-01-30 22:53:22 UTC (rev 255461)
@@ -354,7 +354,7 @@
}
}
- m_client->didReceiveChallenge(AuthenticationChallenge(challenge), [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
+ m_client->didReceiveChallenge(AuthenticationChallenge(challenge), NegotiatedLegacyTLS::No, [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
if (m_state == State::Canceling || m_state == State::Completed)
return;
@@ -380,7 +380,7 @@
void NetworkDataTaskCurl::tryProxyAuthentication(WebCore::AuthenticationChallenge&& challenge)
{
- m_client->didReceiveChallenge(AuthenticationChallenge(challenge), [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
+ m_client->didReceiveChallenge(AuthenticationChallenge(challenge), NegotiatedLegacyTLS::No, [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
if (m_state == State::Canceling || m_state == State::Completed)
return;
@@ -405,7 +405,7 @@
void NetworkDataTaskCurl::tryServerTrustEvaluation(AuthenticationChallenge&& challenge)
{
- m_client->didReceiveChallenge(AuthenticationChallenge(challenge), [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
+ m_client->didReceiveChallenge(AuthenticationChallenge(challenge), NegotiatedLegacyTLS::No, [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
if (m_state == State::Canceling || m_state == State::Completed)
return;
Modified: trunk/Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp (255460 => 255461)
--- trunk/Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp 2020-01-30 22:53:22 UTC (rev 255461)
@@ -531,7 +531,7 @@
void NetworkDataTaskSoup::continueAuthenticate(AuthenticationChallenge&& challenge)
{
- m_client->didReceiveChallenge(AuthenticationChallenge(challenge), [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
+ m_client->didReceiveChallenge(AuthenticationChallenge(challenge), NegotiatedLegacyTLS::No, [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
if (m_state == State::Canceling || m_state == State::Completed) {
clearRequest();
return;
Modified: trunk/Source/WebKit/Shared/Authentication/AuthenticationManager.cpp (255460 => 255461)
--- trunk/Source/WebKit/Shared/Authentication/AuthenticationManager.cpp 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/Shared/Authentication/AuthenticationManager.cpp 2020-01-30 22:53:22 UTC (rev 255461)
@@ -109,7 +109,7 @@
return challengesToCoalesce;
}
-void AuthenticationManager::didReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebPageProxyIdentifier pageID, const SecurityOriginData* topOrigin, const AuthenticationChallenge& authenticationChallenge, ChallengeCompletionHandler&& completionHandler)
+void AuthenticationManager::didReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebPageProxyIdentifier pageID, const SecurityOriginData* topOrigin, const AuthenticationChallenge& authenticationChallenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler)
{
if (!pageID)
return completionHandler(AuthenticationChallengeDisposition::PerformDefaultHandling, { });
@@ -123,7 +123,7 @@
Optional<SecurityOriginData> topOriginData;
if (topOrigin)
topOriginData = *topOrigin;
- m_process.send(Messages::NetworkProcessProxy::DidReceiveAuthenticationChallenge(sessionID, pageID, topOriginData, authenticationChallenge, challengeID));
+ m_process.send(Messages::NetworkProcessProxy::DidReceiveAuthenticationChallenge(sessionID, pageID, topOriginData, authenticationChallenge, negotiatedLegacyTLS == NegotiatedLegacyTLS::Yes, challengeID));
}
void AuthenticationManager::didReceiveAuthenticationChallenge(IPC::MessageSender& download, const WebCore::AuthenticationChallenge& authenticationChallenge, ChallengeCompletionHandler&& completionHandler)
Modified: trunk/Source/WebKit/Shared/Authentication/AuthenticationManager.h (255460 => 255461)
--- trunk/Source/WebKit/Shared/Authentication/AuthenticationManager.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/Shared/Authentication/AuthenticationManager.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -57,6 +57,7 @@
class DownloadID;
class NetworkProcess;
class WebFrame;
+enum class NegotiatedLegacyTLS : bool { No, Yes };
enum class AuthenticationChallengeDisposition : uint8_t;
using ChallengeCompletionHandler = CompletionHandler<void(AuthenticationChallengeDisposition, const WebCore::Credential&)>;
@@ -69,7 +70,7 @@
static const char* supplementName();
- void didReceiveAuthenticationChallenge(PAL::SessionID, WebPageProxyIdentifier, const WebCore::SecurityOriginData* , const WebCore::AuthenticationChallenge&, ChallengeCompletionHandler&&);
+ void didReceiveAuthenticationChallenge(PAL::SessionID, WebPageProxyIdentifier, const WebCore::SecurityOriginData* , const WebCore::AuthenticationChallenge&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&);
void didReceiveAuthenticationChallenge(IPC::MessageSender& download, const WebCore::AuthenticationChallenge&, ChallengeCompletionHandler&&);
void completeAuthenticationChallenge(uint64_t challengeID, AuthenticationChallengeDisposition, WebCore::Credential&&);
Modified: trunk/Source/WebKit/UIProcess/API/APINavigationClient.h (255460 => 255461)
--- trunk/Source/WebKit/UIProcess/API/APINavigationClient.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/UIProcess/API/APINavigationClient.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -96,6 +96,7 @@
virtual void renderingProgressDidChange(WebKit::WebPageProxy&, OptionSet<WebCore::LayoutMilestone>) { }
virtual void didReceiveAuthenticationChallenge(WebKit::WebPageProxy&, WebKit::AuthenticationChallengeProxy& challenge) { challenge.listener().completeChallenge(WebKit::AuthenticationChallengeDisposition::PerformDefaultHandling); }
+ virtual void shouldAllowLegacyTLS(WebKit::WebPageProxy&, WebKit::AuthenticationChallengeProxy&, CompletionHandler<void(bool)>&& completionHandler) { completionHandler(true); }
virtual bool shouldBypassContentModeSafeguards() const { return false; }
// FIXME: These function should not be part of this client.
Modified: trunk/Source/WebKit/UIProcess/API/Cocoa/WKNavigationDelegatePrivate.h (255460 => 255461)
--- trunk/Source/WebKit/UIProcess/API/Cocoa/WKNavigationDelegatePrivate.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/UIProcess/API/Cocoa/WKNavigationDelegatePrivate.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -86,6 +86,8 @@
- (NSData *)_webCryptoMasterKeyForWebView:(WKWebView *)webView;
+- (void)_webView:(WKWebView *)webView authenticationChallenge:(NSURLAuthenticationChallenge *)challenge shouldAllowLegacyTLS:(void (^)(BOOL))completionHandler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+
- (void)_webViewDidBeginNavigationGesture:(WKWebView *)webView;
// Item is nil if the gesture ended without navigation.
- (void)_webViewDidEndNavigationGesture:(WKWebView *)webView withNavigationToBackForwardListItem:(WKBackForwardListItem *)item;
Modified: trunk/Source/WebKit/UIProcess/Cocoa/NavigationState.h (255460 => 255461)
--- trunk/Source/WebKit/UIProcess/Cocoa/NavigationState.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/UIProcess/Cocoa/NavigationState.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -112,6 +112,7 @@
bool shouldBypassContentModeSafeguards() const final;
void didReceiveAuthenticationChallenge(WebPageProxy&, AuthenticationChallengeProxy&) override;
+ void shouldAllowLegacyTLS(WebPageProxy&, AuthenticationChallengeProxy&, CompletionHandler<void(bool)>&&) final;
bool processDidTerminate(WebPageProxy&, ProcessTerminationReason) override;
void processDidBecomeResponsive(WebPageProxy&) override;
void processDidBecomeUnresponsive(WebPageProxy&) override;
@@ -215,6 +216,7 @@
bool webViewRenderingProgressDidChange : 1;
bool webViewDidReceiveAuthenticationChallengeCompletionHandler : 1;
+ bool webViewAuthenticationChallengeShouldAllowLegacyTLS : 1;
bool webViewWebContentProcessDidTerminate : 1;
bool webViewWebContentProcessDidTerminateWithReason : 1;
bool webViewWebProcessDidCrash : 1;
Modified: trunk/Source/WebKit/UIProcess/Cocoa/NavigationState.mm (255460 => 255461)
--- trunk/Source/WebKit/UIProcess/Cocoa/NavigationState.mm 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/UIProcess/Cocoa/NavigationState.mm 2020-01-30 22:53:22 UTC (rev 255461)
@@ -79,6 +79,11 @@
#import <wtf/NeverDestroyed.h>
#import <wtf/URL.h>
+#if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST)
+#import <pal/ios/ManagedConfigurationSoftLink.h>
+#import <pal/spi/ios/ManagedConfigurationSPI.h>
+#endif
+
#if HAVE(APP_LINKS)
#import <pal/spi/cocoa/LaunchServicesSPI.h>
#endif
@@ -166,6 +171,7 @@
m_navigationDelegateMethods.webViewNavigationDidSameDocumentNavigation = [delegate respondsToSelector:@selector(_webView:navigation:didSameDocumentNavigation:)];
m_navigationDelegateMethods.webViewRenderingProgressDidChange = [delegate respondsToSelector:@selector(_webView:renderingProgressDidChange:)];
m_navigationDelegateMethods.webViewDidReceiveAuthenticationChallengeCompletionHandler = [delegate respondsToSelector:@selector(webView:didReceiveAuthenticationChallenge:completionHandler:)];
+ m_navigationDelegateMethods.webViewAuthenticationChallengeShouldAllowLegacyTLS = [delegate respondsToSelector:@selector(_webView:authenticationChallenge:shouldAllowLegacyTLS:)];
m_navigationDelegateMethods.webViewWebContentProcessDidTerminate = [delegate respondsToSelector:@selector(webViewWebContentProcessDidTerminate:)];
m_navigationDelegateMethods.webViewWebContentProcessDidTerminateWithReason = [delegate respondsToSelector:@selector(_webView:webContentProcessDidTerminateWithReason:)];
m_navigationDelegateMethods.webViewWebProcessDidCrash = [delegate respondsToSelector:@selector(_webViewWebProcessDidCrash:)];
@@ -973,6 +979,39 @@
}).get()];
}
+static bool systemAllowsLegacyTLSFor(WebPageProxy& page)
+{
+ bool enableLegacyTLS = page.websiteDataStore().configuration().legacyTLSEnabled();
+ if (id value = [[NSUserDefaults standardUserDefaults] objectForKey:@"WebKitEnableLegacyTLS"])
+ enableLegacyTLS = [value boolValue];
+ if (!enableLegacyTLS) {
+#if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST)
+ enableLegacyTLS = [[PAL::getMCProfileConnectionClass() sharedConnection] effectiveBoolValueForSetting:@"allowDeprecatedWebKitTLS"] == MCRestrictedBoolExplicitYes;
+#elif PLATFORM(MAC)
+ enableLegacyTLS = CFPreferencesGetAppBooleanValue(CFSTR("allowDeprecatedWebKitTLS"), CFSTR("com.apple.applicationaccess"), nullptr);
+#endif
+ }
+ return enableLegacyTLS;
+}
+
+void NavigationState::NavigationClient::shouldAllowLegacyTLS(WebPageProxy& page, AuthenticationChallengeProxy& authenticationChallenge, CompletionHandler<void(bool)>&& completionHandler)
+{
+ if (!m_navigationState.m_navigationDelegateMethods.webViewAuthenticationChallengeShouldAllowLegacyTLS)
+ return completionHandler(systemAllowsLegacyTLSFor(page));
+
+ auto navigationDelegate = m_navigationState.m_navigationDelegate.get();
+ if (!navigationDelegate)
+ return completionHandler(systemAllowsLegacyTLSFor(page));
+
+ auto checker = CompletionHandlerCallChecker::create(navigationDelegate.get(), @selector(_webView:authenticationChallenge:shouldAllowLegacyTLS:));
+ [static_cast<id <WKNavigationDelegatePrivate>>(navigationDelegate.get()) _webView:m_navigationState.m_webView authenticationChallenge:wrapper(authenticationChallenge) shouldAllowLegacyTLS:makeBlockPtr([checker = WTFMove(checker), completionHandler = WTFMove(completionHandler)](BOOL shouldAllow) mutable {
+ if (checker->completionHandlerHasBeenCalled())
+ return;
+ checker->didCallCompletionHandler();
+ completionHandler(shouldAllow);
+ }).get()];
+}
+
static _WKProcessTerminationReason wkProcessTerminationReason(ProcessTerminationReason reason)
{
switch (reason) {
Modified: trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (255460 => 255461)
--- trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm 2020-01-30 22:53:22 UTC (rev 255461)
@@ -384,18 +384,6 @@
}
}
- parameters.enableLegacyTLS = false;
- if (id value = [defaults objectForKey:@"WebKitEnableLegacyTLS"])
- parameters.enableLegacyTLS = [value boolValue];
- if (!parameters.enableLegacyTLS) {
-#if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST)
- parameters.enableLegacyTLS = [[PAL::getMCProfileConnectionClass() sharedConnection] effectiveBoolValueForSetting:@"allowDeprecatedWebKitTLS"] == MCRestrictedBoolExplicitYes;
-#elif PLATFORM(MAC)
- parameters.enableLegacyTLS = CFPreferencesGetAppBooleanValue(CFSTR("allowDeprecatedWebKitTLS"), CFSTR("com.apple.applicationaccess"), nullptr);
-#endif
- }
- parameters.defaultDataStoreParameters.networkSessionParameters.enableLegacyTLS = parameters.enableLegacyTLS;
-
parameters.networkATSContext = adoptCF(_CFNetworkCopyATSContext());
parameters.shouldSuppressMemoryPressureHandler = [defaults boolForKey:WebKitSuppressMemoryPressureHandlerDefaultsKey];
Modified: trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp (255460 => 255461)
--- trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp 2020-01-30 22:53:22 UTC (rev 255461)
@@ -28,6 +28,7 @@
#include "APIContentRuleList.h"
#include "AuthenticationChallengeProxy.h"
+#include "AuthenticationManager.h"
#include "DownloadProxyMap.h"
#include "DownloadProxyMessages.h"
#if ENABLE(LEGACY_CUSTOM_PROTOCOL_MANAGER)
@@ -326,7 +327,7 @@
store->client().didReceiveAuthenticationChallenge(WTFMove(authenticationChallenge));
}
-void NetworkProcessProxy::didReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebPageProxyIdentifier pageID, const Optional<SecurityOriginData>& topOrigin, WebCore::AuthenticationChallenge&& coreChallenge, uint64_t challengeID)
+void NetworkProcessProxy::didReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebPageProxyIdentifier pageID, const Optional<SecurityOriginData>& topOrigin, WebCore::AuthenticationChallenge&& coreChallenge, bool negotiatedLegacyTLS, uint64_t challengeID)
{
#if HAVE(SEC_KEY_PROXY)
WeakPtr<SecKeyProxyStore> secKeyProxyStore;
@@ -347,7 +348,7 @@
page = WebProcessProxy::webPage(pageID);
if (page) {
- page->didReceiveAuthenticationChallengeProxy(WTFMove(authenticationChallenge));
+ page->didReceiveAuthenticationChallengeProxy(WTFMove(authenticationChallenge), negotiatedLegacyTLS ? NegotiatedLegacyTLS::Yes : NegotiatedLegacyTLS::No);
return;
}
@@ -356,12 +357,12 @@
return;
}
- WebPageProxy::forMostVisibleWebPageIfAny(sessionID, *topOrigin, [this, weakThis = makeWeakPtr(this), sessionID, authenticationChallenge = WTFMove(authenticationChallenge)](auto* page) mutable {
+ WebPageProxy::forMostVisibleWebPageIfAny(sessionID, *topOrigin, [this, weakThis = makeWeakPtr(this), sessionID, authenticationChallenge = WTFMove(authenticationChallenge), negotiatedLegacyTLS](auto* page) mutable {
if (!weakThis)
return;
if (page) {
- page->didReceiveAuthenticationChallengeProxy(WTFMove(authenticationChallenge));
+ page->didReceiveAuthenticationChallengeProxy(WTFMove(authenticationChallenge), negotiatedLegacyTLS ? NegotiatedLegacyTLS::Yes : NegotiatedLegacyTLS::No);
return;
}
processAuthenticationChallenge(sessionID, WTFMove(authenticationChallenge));
Modified: trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.h (255460 => 255461)
--- trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -235,7 +235,7 @@
// Message handlers
void didReceiveNetworkProcessProxyMessage(IPC::Connection&, IPC::Decoder&);
- void didReceiveAuthenticationChallenge(PAL::SessionID, WebPageProxyIdentifier, const Optional<WebCore::SecurityOriginData>&, WebCore::AuthenticationChallenge&&, uint64_t challengeID);
+ void didReceiveAuthenticationChallenge(PAL::SessionID, WebPageProxyIdentifier, const Optional<WebCore::SecurityOriginData>&, WebCore::AuthenticationChallenge&&, bool, uint64_t challengeID);
void didFetchWebsiteData(uint64_t callbackID, const WebsiteData&);
void didDeleteWebsiteData(uint64_t callbackID);
void didDeleteWebsiteDataForOrigins(uint64_t callbackID);
Modified: trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.messages.in (255460 => 255461)
--- trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.messages.in 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.messages.in 2020-01-30 22:53:22 UTC (rev 255461)
@@ -21,7 +21,7 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
messages -> NetworkProcessProxy LegacyReceiver NotRefCounted {
- DidReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebKit::WebPageProxyIdentifier pageID, Optional<WebCore::SecurityOriginData> topOrigin, WebCore::AuthenticationChallenge challenge, uint64_t challengeID)
+ DidReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebKit::WebPageProxyIdentifier pageID, Optional<WebCore::SecurityOriginData> topOrigin, WebCore::AuthenticationChallenge challenge, bool negotiatedLegacyTLS, uint64_t challengeID)
DidFetchWebsiteData(uint64_t callbackID, struct WebKit::WebsiteData websiteData)
DidDeleteWebsiteData(uint64_t callbackID)
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (255460 => 255461)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-01-30 22:53:22 UTC (rev 255461)
@@ -56,6 +56,7 @@
#include "APIWebsitePolicies.h"
#include "AuthenticationChallengeProxy.h"
#include "AuthenticationDecisionListener.h"
+#include "AuthenticationManager.h"
#include "AuthenticatorManager.h"
#include "DataReference.h"
#include "DownloadProxy.h"
@@ -7706,8 +7707,17 @@
#endif
-void WebPageProxy::didReceiveAuthenticationChallengeProxy(Ref<AuthenticationChallengeProxy>&& authenticationChallenge)
+void WebPageProxy::didReceiveAuthenticationChallengeProxy(Ref<AuthenticationChallengeProxy>&& authenticationChallenge, NegotiatedLegacyTLS negotiatedLegacyTLS)
{
+ if (negotiatedLegacyTLS == NegotiatedLegacyTLS::Yes) {
+ m_navigationClient->shouldAllowLegacyTLS(*this, authenticationChallenge.get(), [this, protectedThis = makeRef(*this), authenticationChallenge = authenticationChallenge.copyRef()] (bool shouldAllowLegacyTLS) {
+ if (shouldAllowLegacyTLS)
+ m_navigationClient->didReceiveAuthenticationChallenge(*this, authenticationChallenge.get());
+ else
+ authenticationChallenge->listener().completeChallenge(AuthenticationChallengeDisposition::Cancel);
+ });
+ return;
+ }
m_navigationClient->didReceiveAuthenticationChallenge(*this, authenticationChallenge.get());
}
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.h (255460 => 255461)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -337,6 +337,7 @@
struct URLSchemeTaskParameters;
struct UserMessage;
+enum class NegotiatedLegacyTLS : bool;
enum class ProcessSwapRequestedByClient;
enum class UndoOrRedo : bool;
enum class WebContentMode : uint8_t;
@@ -1333,7 +1334,7 @@
void setViewportSizeForCSSViewportUnits(const WebCore::IntSize&);
WebCore::IntSize viewportSizeForCSSViewportUnits() const { return m_viewportSizeForCSSViewportUnits.valueOr(WebCore::IntSize()); }
- void didReceiveAuthenticationChallengeProxy(Ref<AuthenticationChallengeProxy>&&);
+ void didReceiveAuthenticationChallengeProxy(Ref<AuthenticationChallengeProxy>&&, NegotiatedLegacyTLS);
SpellDocumentTag spellDocumentTag();
Modified: trunk/Source/WebKit/UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm (255460 => 255461)
--- trunk/Source/WebKit/UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm 2020-01-30 22:53:22 UTC (rev 255461)
@@ -85,16 +85,6 @@
bool shouldLogCookieInformation = false;
bool enableResourceLoadStatisticsDebugMode = false;
auto firstPartyWebsiteDataRemovalMode = WebCore::FirstPartyWebsiteDataRemovalMode::AllButCookies;
- bool enableLegacyTLS = configuration().legacyTLSEnabled();
- if (id value = [defaults objectForKey:@"WebKitEnableLegacyTLS"])
- enableLegacyTLS = [value boolValue];
- if (!enableLegacyTLS) {
-#if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST)
- enableLegacyTLS = [[PAL::getMCProfileConnectionClass() sharedConnection] effectiveBoolValueForSetting:@"allowDeprecatedWebKitTLS"] == MCRestrictedBoolExplicitYes;
-#elif PLATFORM(MAC)
- enableLegacyTLS = CFPreferencesGetAppBooleanValue(CFSTR("allowDeprecatedWebKitTLS"), CFSTR("com.apple.applicationaccess"), nullptr);
-#endif
- }
WebCore::RegistrableDomain resourceLoadStatisticsManualPrevalentResource { };
#if ENABLE(RESOURCE_LOAD_STATISTICS)
enableResourceLoadStatisticsDebugMode = [defaults boolForKey:@"ITPDebugMode"];
@@ -164,7 +154,6 @@
Seconds { [defaults integerForKey:WebKitNetworkLoadThrottleLatencyMillisecondsDefaultsKey] / 1000. },
WTFMove(httpProxy),
WTFMove(httpsProxy),
- enableLegacyTLS,
WTFMove(resourceLoadStatisticsDirectory),
WTFMove(resourceLoadStatisticsDirectoryHandle),
resourceLoadStatisticsEnabled(),
Modified: trunk/Source/WebKit/UIProcess/WebsiteData/WebsiteDataStoreConfiguration.h (255460 => 255461)
--- trunk/Source/WebKit/UIProcess/WebsiteData/WebsiteDataStoreConfiguration.h 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKit/UIProcess/WebsiteData/WebsiteDataStoreConfiguration.h 2020-01-30 22:53:22 UTC (rev 255461)
@@ -184,7 +184,7 @@
bool m_deviceManagementRestrictionsEnabled { false };
bool m_allLoadsBlockedByDeviceManagementRestrictionsForTesting { false };
bool m_allowsCellularAccess { true };
- bool m_legacyTLSEnabled { false };
+ bool m_legacyTLSEnabled { true };
bool m_fastServerTrustEvaluationEnabled { false };
bool m_serviceWorkerProcessTerminationDelayEnabled { true };
bool m_testingSessionEnabled { false };
Modified: trunk/Source/WebKitLegacy/mac/ChangeLog (255460 => 255461)
--- trunk/Source/WebKitLegacy/mac/ChangeLog 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKitLegacy/mac/ChangeLog 2020-01-30 22:53:22 UTC (rev 255461)
@@ -1,3 +1,13 @@
+2020-01-30 Alex Christensen <achristen...@webkit.org>
+
+ Add WKNavigationDelegate SPI to disable TLS 1.0 and 1.1
+ https://bugs.webkit.org/show_bug.cgi?id=206979
+
+ Reviewed by Brady Eidson.
+
+ * WebView/WebView.mm:
+ (-[WebView _commonInitializationWithFrameName:groupName:]):
+
2020-01-29 Tim Horton <timothy_hor...@apple.com>
Null deref under -[WebFrame isTelephoneNumberParsingAllowed]
Modified: trunk/Source/WebKitLegacy/mac/WebView/WebView.mm (255460 => 255461)
--- trunk/Source/WebKitLegacy/mac/WebView/WebView.mm 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Source/WebKitLegacy/mac/WebView/WebView.mm 2020-01-30 22:53:22 UTC (rev 255461)
@@ -1421,19 +1421,6 @@
if (WebCore::IOSApplication::isMobileSafari())
WebCore::DeprecatedGlobalSettings::setShouldManageAudioSessionCategory(true);
#endif
-
- bool enableLegacyTLS = false;
- if (id value = [[NSUserDefaults standardUserDefaults] objectForKey:@"WebKitEnableLegacyTLS"])
- enableLegacyTLS = [value boolValue];
- if (!enableLegacyTLS) {
-#if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST)
- enableLegacyTLS = [[PAL::getMCProfileConnectionClass() sharedConnection] effectiveBoolValueForSetting:@"allowDeprecatedWebKitTLS"] == MCRestrictedBoolExplicitYes;
-#elif PLATFORM(MAC)
- enableLegacyTLS = CFPreferencesGetAppBooleanValue(CFSTR("allowDeprecatedWebKitTLS"), CFSTR("com.apple.applicationaccess"), nullptr);
-#endif
- }
- WebCore::SocketStreamHandleImpl::setLegacyTLSEnabled(enableLegacyTLS);
-
didOneTimeInitialization = true;
}
Modified: trunk/Tools/ChangeLog (255460 => 255461)
--- trunk/Tools/ChangeLog 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Tools/ChangeLog 2020-01-30 22:53:22 UTC (rev 255461)
@@ -1,3 +1,21 @@
+2020-01-30 Alex Christensen <achristen...@webkit.org>
+
+ Add WKNavigationDelegate SPI to disable TLS 1.0 and 1.1
+ https://bugs.webkit.org/show_bug.cgi?id=206979
+
+ Reviewed by Brady Eidson.
+
+ * MiniBrowser/mac/SettingsController.m:
+ * TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm:
+ (-[TLSNavigationDelegate waitForDidFinishNavigation]):
+ (-[TLSNavigationDelegate waitForDidFailProvisionalNavigation]):
+ (-[TLSNavigationDelegate receivedShouldAllowLegacyTLS]):
+ (-[TLSNavigationDelegate webView:didReceiveAuthenticationChallenge:completionHandler:]):
+ (-[TLSNavigationDelegate webView:didFinishNavigation:]):
+ (-[TLSNavigationDelegate webView:didFailProvisionalNavigation:withError:]):
+ (-[TLSNavigationDelegate _webView:authenticationChallenge:shouldAllowLegacyTLS:]):
+ (TestWebKitAPI::TEST):
+
2020-01-30 Jonathan Bedard <jbed...@apple.com>
PAL: Remove old iOS version macros
Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm (255460 => 255461)
--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm 2020-01-30 22:50:18 UTC (rev 255460)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm 2020-01-30 22:53:22 UTC (rev 255461)
@@ -43,132 +43,82 @@
#import <WebKit/WebCoreThread.h>
#endif
-@interface WebSocketDelegate : NSObject <WKUIDelegate, WebUIDelegate>
-- (NSString *)waitForMessage;
+@interface TLSNavigationDelegate : NSObject <WKNavigationDelegate>
+- (void)waitForDidFinishNavigation;
+- (void)waitForDidFailProvisionalNavigation;
+- (bool)receivedShouldAllowLegacyTLS;
+@property (nonatomic) bool shouldAllowLegacyTLS;
@end
-@implementation WebSocketDelegate {
- RetainPtr<NSString> _message;
+@implementation TLSNavigationDelegate {
+ bool _navigationFinished;
+ bool _navigationFailed;
+ bool _receivedShouldAllowLegacyTLS;
}
-- (NSString *)waitForMessage
+- (void)waitForDidFinishNavigation
{
- while (!_message)
+ while (!_navigationFinished)
TestWebKitAPI::Util::spinRunLoop();
- return _message.autorelease();
}
-- (void)webView:(WKWebView *)webView runJavaScriptAlertPanelWithMessage:(NSString *)message initiatedByFrame:(WKFrameInfo *)frame completionHandler:(void (^)(void))completionHandler
+- (void)waitForDidFailProvisionalNavigation
{
- _message = message;
- completionHandler();
+ while (!_navigationFailed)
+ TestWebKitAPI::Util::spinRunLoop();
}
-- (void)webView:(WebView *)sender runJavaScriptAlertPanelWithMessage:(NSString *)message initiatedByFrame:(WebFrame *)frame
+- (bool)receivedShouldAllowLegacyTLS
{
- _message = message;
+ return _receivedShouldAllowLegacyTLS;
}
-@end
-
-namespace TestWebKitAPI {
-
-const uint16_t tls1_1 = 0x0302;
-static NSString *defaultsKey = @"WebKitEnableLegacyTLS";
-
-TEST(WebKit, TLSVersionWebSocket)
+- (void)webView:(WKWebView *)webView didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * credential))completionHandler
{
- auto getWebSocketEvent = [] (bool clientAllowDeprecatedTLS, bool serverLimitTLS) {
- Optional<uint16_t> maxServerTLSVersion;
- if (serverLimitTLS)
- maxServerTLSVersion = tls1_1;
- TCPServer server(TCPServer::Protocol::HTTPS, [=](SSL *ssl) {
- EXPECT_TRUE(!ssl == (clientAllowDeprecatedTLS != serverLimitTLS));
- }, maxServerTLSVersion);
-
- if (clientAllowDeprecatedTLS)
- [[NSUserDefaults standardUserDefaults] setBool:YES forKey:defaultsKey];
-
- auto webView = adoptNS([TestWKWebView new]);
- auto delegate = adoptNS([WebSocketDelegate new]);
- [webView setUIDelegate:delegate.get()];
- [webView synchronouslyLoadHTMLString:@"start network process"];
- [[webView configuration].processPool _allowAnyTLSCertificateForWebSocketTesting];
- [webView synchronouslyLoadHTMLString:[NSString stringWithFormat:
- @"<script>"
- "const socket = new WebSocket('wss://localhost:%d');"
- "socket._onclose_ = function(event){ alert('close'); };"
- "socket._onerror_ = function(event){ alert('error: ' + event.data); };"
- "</script>", server.port()]];
- NSString *message = [delegate waitForMessage];
-
- if (clientAllowDeprecatedTLS)
- [[NSUserDefaults standardUserDefaults] removeObjectForKey:defaultsKey];
-
- return message;
- };
-
- EXPECT_WK_STREQ(getWebSocketEvent(true, true), "close");
- NSString *message = getWebSocketEvent(false, true);
- EXPECT_TRUE([message isEqualToString:@"error: undefined"] || [message isEqualToString:@"close"]);
- EXPECT_WK_STREQ(getWebSocketEvent(false, false), "close");
+ EXPECT_WK_STREQ(challenge.protectionSpace.authenticationMethod, NSURLAuthenticationMethodServerTrust);
+ completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
}
-NSString *getWebSocketEventWebKitLegacy(bool clientAllowDeprecatedTLS, bool serverLimitTLS)
+- (void)webView:(WKWebView *)webView didFinishNavigation:(WKNavigation *)navigation
{
-#if PLATFORM(IOS_FAMILY)
- WebKitInitialize();
- WebThreadLock();
-#endif
- Optional<uint16_t> maxServerTLSVersion;
- if (serverLimitTLS)
- maxServerTLSVersion = tls1_1;
- TCPServer server(TCPServer::Protocol::HTTPS, [=](SSL *ssl) {
- EXPECT_TRUE(!ssl == (clientAllowDeprecatedTLS != serverLimitTLS));
- }, maxServerTLSVersion);
-
- if (clientAllowDeprecatedTLS)
- [[NSUserDefaults standardUserDefaults] setBool:YES forKey:defaultsKey];
-
- auto webView = adoptNS([WebView new]);
- auto delegate = adoptNS([WebSocketDelegate new]);
- [webView setUIDelegate:delegate.get()];
- WebCoreTestSupport::setAllowsAnySSLCertificate(true);
- [[webView mainFrame] loadHTMLString:[NSString stringWithFormat:
- @"<script>"
- "const socket = new WebSocket('wss://localhost:%d');"
- "socket._onclose_ = function(event){ alert('close'); };"
- "socket._onerror_ = function(event){ alert('error: ' + event.data); };"
- "</script>", server.port()] baseURL:nil];
- NSString *message = [delegate waitForMessage];
-
- if (clientAllowDeprecatedTLS)
- [[NSUserDefaults standardUserDefaults] removeObjectForKey:defaultsKey];
-
- return message;
+ _navigationFinished = true;
}
-TEST(WebKit, TLSVersionWebSocketWebKitLegacy1)
+- (void)webView:(WKWebView *)webView didFailProvisionalNavigation:(WKNavigation *)navigation withError:(NSError *)error
{
- EXPECT_WK_STREQ(getWebSocketEventWebKitLegacy(true, true), "close");
+ _navigationFailed = true;
}
-TEST(WebKit, TLSVersionWebSocketWebKitLegacy2)
+- (void)_webView:(WKWebView *)webView authenticationChallenge:(NSURLAuthenticationChallenge *)challenge shouldAllowLegacyTLS:(void (^)(BOOL))completionHandler
{
-#if PLATFORM(IOS_FAMILY)
- const char* expected = "error: undefined";
-#else
- const char* expected = "close";
-#endif
- EXPECT_WK_STREQ(getWebSocketEventWebKitLegacy(false, true), expected);
+ _receivedShouldAllowLegacyTLS = true;
+ completionHandler([self shouldAllowLegacyTLS]);
}
-TEST(WebKit, TLSVersionWebSocketWebKitLegacy3)
+@end
+
+
+namespace TestWebKitAPI {
+
+const uint16_t tls1_1 = 0x0302;
+static NSString *defaultsKey = @"WebKitEnableLegacyTLS";
+
+TEST(TLSVersion, DefaultBehavior)
{
- EXPECT_WK_STREQ(getWebSocketEventWebKitLegacy(false, false), "close");
+ TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1);
+ auto delegate = adoptNS([TestNavigationDelegate new]);
+ auto webView = adoptNS([WKWebView new]);
+ [webView setNavigationDelegate:delegate.get()];
+ [delegate setDidReceiveAuthenticationChallenge:^(WKWebView *, NSURLAuthenticationChallenge *challenge, void (^callback)(NSURLSessionAuthChallengeDisposition, NSURLCredential *)) {
+ EXPECT_WK_STREQ(challenge.protectionSpace.authenticationMethod, NSURLAuthenticationMethodServerTrust);
+ callback(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
+ }];
+ [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
+ [delegate waitForDidFinishNavigation];
}
-TEST(WebKit, TLSVersionNetworkSession)
+// FIXME: This test should remain disabled until rdar://problem/56522601 is fixed.
+TEST(TLSVersion, DISABLED_NetworkSession)
{
static auto delegate = adoptNS([TestNavigationDelegate new]);
auto makeWebViewWith = [&] (WKWebsiteDataStore *store) {
@@ -177,55 +127,83 @@
auto webView = adoptNS([[WKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration]);
[webView setNavigationDelegate:delegate.get()];
[delegate setDidReceiveAuthenticationChallenge:^(WKWebView *, NSURLAuthenticationChallenge *challenge, void (^callback)(NSURLSessionAuthChallengeDisposition, NSURLCredential *)) {
+ EXPECT_WK_STREQ(challenge.protectionSpace.authenticationMethod, NSURLAuthenticationMethodServerTrust);
callback(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
}];
return webView;
};
{
- TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) {
- EXPECT_FALSE(ssl);
- }, tls1_1);
+ TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1);
auto webView = makeWebViewWith([WKWebsiteDataStore defaultDataStore]);
[webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
- [delegate waitForDidFailProvisionalNavigation];
+ [delegate waitForDidFinishNavigation];
}
{
- TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) {
- EXPECT_FALSE(ssl);
- }, tls1_1);
+ TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1);
auto webView = makeWebViewWith([WKWebsiteDataStore nonPersistentDataStore]);
[webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
- [delegate waitForDidFailProvisionalNavigation];
+ [delegate waitForDidFinishNavigation];
}
{
- TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1);
+ TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) {
+ EXPECT_FALSE(ssl);
+ }, tls1_1);
auto configuration = adoptNS([[_WKWebsiteDataStoreConfiguration alloc] initNonPersistentConfiguration]);
- [configuration setLegacyTLSEnabled:YES];
+ [configuration setLegacyTLSEnabled:NO];
auto dataStore = adoptNS([[WKWebsiteDataStore alloc] _initWithConfiguration:configuration.get()]);
auto webView = makeWebViewWith(dataStore.get());
[webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
- [delegate waitForDidFinishNavigation];
+ [delegate waitForDidFailProvisionalNavigation];
}
- [[NSUserDefaults standardUserDefaults] setBool:YES forKey:defaultsKey];
+ [[NSUserDefaults standardUserDefaults] setBool:NO forKey:defaultsKey];
{
TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) {
- TCPServer::respondWithOK(ssl);
+ EXPECT_FALSE(ssl);
}, tls1_1);
auto webView = makeWebViewWith([WKWebsiteDataStore defaultDataStore]);
[webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
- [delegate waitForDidFinishNavigation];
+ [delegate waitForDidFailProvisionalNavigation];
}
{
TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) {
- TCPServer::respondWithOK(ssl);
+ EXPECT_FALSE(ssl);
}, tls1_1);
auto webView = makeWebViewWith([WKWebsiteDataStore nonPersistentDataStore]);
[webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
- [delegate waitForDidFinishNavigation];
+ [delegate waitForDidFailProvisionalNavigation];
}
[[NSUserDefaults standardUserDefaults] removeObjectForKey:defaultsKey];
}
+// FIXME: This test should remain disabled until rdar://problem/56522601 is fixed.
+TEST(TLSVersion, DISABLED_NavigationDelegateSPI)
+{
+ {
+ auto delegate = adoptNS([TLSNavigationDelegate new]);
+ TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) {
+ // FIXME: This is only if we have the new SPI.
+ EXPECT_FALSE(ssl);
+ }, tls1_1);
+ auto webView = adoptNS([WKWebView new]);
+ [webView setNavigationDelegate:delegate.get()];
+ [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
+ [delegate waitForDidFailProvisionalNavigation];
+ EXPECT_TRUE([delegate receivedShouldAllowLegacyTLS]);
+ }
+ {
+ auto delegate = adoptNS([TLSNavigationDelegate new]);
+ delegate.get().shouldAllowLegacyTLS = YES;
+ TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1);
+ auto webView = adoptNS([WKWebView new]);
+ [webView setNavigationDelegate:delegate.get()];
+ [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
+ [delegate waitForDidFinishNavigation];
+ EXPECT_TRUE([delegate receivedShouldAllowLegacyTLS]);
+ }
}
+// FIXME: Add some tests for WKWebView.hasOnlySecureContent
+
+}
+
#endif // HAVE(SSL)
