On 01/07/09 01:21, Hugh McIntyre wrote: > Alfred Peng wrote: >> >> On 01/02/09 15:59, Hugh McIntyre wrote: >>> Shi-Ying Irene Huang wrote: >>> So does this mean that: >>> >>> - HTTPS is not supported right now? >>> - HTTPS is supported, but does no verification of the server >>> certificate, thus defeating half of the point of HTTPS? >>> - HTTPS is supported and checks the certificates properly, just not >>> via CURL/OpenSSL? >>> - or that WebKit does not do the network accesses itself? >> The current status for HTTPS support is between option 1 and 2. >> Normally, WebKit doesn't support HTTPS. But if the environment >> "WEBKIT_IGNORE_SSL_ERRORS" is set, WebKit will call libcURL function >> to skip the certificate verification and deal with HTTPS request. >> OpenSSL isn't involved in this right now. But to enable SSL >> verification is on the plan. > > Sounds OK, since the out-of-the-box default won't load HTTPS in an > unsafe way. Presumably any documentation on "WEBKIT_IGNORE_SSL_ERRORS" > will point out that this defeats the security of HTTPS? > There isn't document for this right now. Maybe man page is a good place to add this?
Thanks, -Alfred
