Public bug reported: I caught this whilst writing unit tests. If a secure site loads a resource from a different domain but that resource load comes with an invalid certificate, WebView.onCertificateError will fire with the isSubresource property set to true. If the application then allow's this, WebView.securityStatus.securityLevel does not indicate a degraded security level as expected.
It *does* work if the subresource is from the same domain as the main document, as that host is marked as having ran insecure content. ** Affects: oxide Importance: Critical Assignee: Chris Coulson (chrisccoulson) Status: Triaged ** Affects: oxide/1.2 Importance: Critical Assignee: Chris Coulson (chrisccoulson) Status: Triaged ** Changed in: oxide Importance: Undecided => Critical ** Changed in: oxide Status: New => Triaged ** Changed in: oxide Milestone: None => branch-1.3 ** Changed in: oxide Assignee: (unassigned) => Chris Coulson (chrisccoulson) ** Also affects: oxide/1.2 Importance: Undecided Status: New ** Changed in: oxide/1.2 Importance: Undecided => Critical ** Changed in: oxide/1.2 Status: New => Triaged ** Changed in: oxide/1.2 Assignee: (unassigned) => Chris Coulson (chrisccoulson) ** Changed in: oxide/1.2 Milestone: None => 1.2.1 ** Description changed: - If a secure site loads a resource from a different domain but that - resource load comes with a broken certificate, - WebView.onCertificateError will fire with the isSubresource property set - to true. If the application then allow's this, - WebView.securityStatus.securityLevel does not indicate a degraded to - security level. + I caught this whilst writing unit tests. If a secure site loads a + resource from a different domain but that resource load comes with an + invalid certificate, WebView.onCertificateError will fire with the + isSubresource property set to true. If the application then allow's + this, WebView.securityStatus.securityLevel does not indicate a degraded + security level as expected. It *does* work if the subresource is from the same domain as the main document, as that host is marked as having ran insecure content. -- You received this bug notification because you are a member of Ubuntu WebApps bug tracking, which is subscribed to Oxide. https://bugs.launchpad.net/bugs/1368385 Title: WebView.securityStatus.securityLevel indicates everything is normal if a subresource certificate error is allowed for a resource from a different domain from the main document Status in Oxide Webview: Triaged Status in Oxide 1.2 series: Triaged Bug description: I caught this whilst writing unit tests. If a secure site loads a resource from a different domain but that resource load comes with an invalid certificate, WebView.onCertificateError will fire with the isSubresource property set to true. If the application then allow's this, WebView.securityStatus.securityLevel does not indicate a degraded security level as expected. It *does* work if the subresource is from the same domain as the main document, as that host is marked as having ran insecure content. To manage notifications about this bug go to: https://bugs.launchpad.net/oxide/+bug/1368385/+subscriptions -- Mailing list: https://launchpad.net/~ubuntu-webapps-bugs Post to : ubuntu-webapps-bugs@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-webapps-bugs More help : https://help.launchpad.net/ListHelp