There are a lot of discussions, I'd like to rest the time out to be Jan 1/13 (Next Tuesday), in case there's more in next LSARC meeting.
Thanks --Irene Alfred Peng wrote: > On 01/07/09 01:21, Hugh McIntyre wrote: >> Alfred Peng wrote: >>> >>> On 01/02/09 15:59, Hugh McIntyre wrote: >>>> Shi-Ying Irene Huang wrote: >>>> So does this mean that: >>>> >>>> - HTTPS is not supported right now? >>>> - HTTPS is supported, but does no verification of the server >>>> certificate, thus defeating half of the point of HTTPS? >>>> - HTTPS is supported and checks the certificates properly, just not >>>> via CURL/OpenSSL? >>>> - or that WebKit does not do the network accesses itself? >>> The current status for HTTPS support is between option 1 and 2. >>> Normally, WebKit doesn't support HTTPS. But if the environment >>> "WEBKIT_IGNORE_SSL_ERRORS" is set, WebKit will call libcURL function >>> to skip the certificate verification and deal with HTTPS request. >>> OpenSSL isn't involved in this right now. But to enable SSL >>> verification is on the plan. >> >> Sounds OK, since the out-of-the-box default won't load HTTPS in an >> unsafe way. Presumably any documentation on "WEBKIT_IGNORE_SSL_ERRORS" >> will point out that this defeats the security of HTTPS? >> > There isn't document for this right now. Maybe man page is a good > place to add this? > > Thanks, > -Alfred
