[epiphany] Do not ignore TLS errors
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [epiphany] Do not ignore TLS errors
- Date: Fri, 8 Aug 2014 14:43:39 +0000 (UTC)
commit f0e7ab86cc2f137637a8a8e8e987e312e93945f3
Author: Michael Catanzaro <mcatanzaro igalia com>
Date: Wed Jul 16 11:19:25 2014 -0500
Do not ignore TLS errors
Currently, Epiphany loads web pages even though it realizes the
connection may be insecure, displaying a broken lock in the address bar.
By this point, it's too late: the attacker already has your session
cookies. Display an error page instead. Based on groundwork by Brian
Holt.
https://bugzilla.gnome.org/show_bug.cgi?id=708847
embed/ephy-embed-shell.c | 37 ++++++
embed/ephy-web-extension-proxy.c | 26 ++++
embed/ephy-web-extension-proxy.h | 2 +
embed/ephy-web-view.c | 195 ++++++++++++++++++++++++++++--
embed/ephy-web-view.h | 3 +-
embed/web-extension/ephy-web-extension.c | 129 +++++++++++++++++++-
src/ephy-shell.c | 3 +
src/resources/error.html | 2 +-
8 files changed, 379 insertions(+), 18 deletions(-)
---
diff --git a/embed/ephy-embed-shell.c b/embed/ephy-embed-shell.c
index 4037c00..83bbb94 100644
--- a/embed/ephy-embed-shell.c
+++ b/embed/ephy-embed-shell.c
@@ -63,6 +63,7 @@ struct _EphyEmbedShellPrivate
guint web_extensions_page_created_signal_id;
guint web_extensions_form_auth_save_signal_id;
guint web_extensions_remove_from_overview_signal_id;
+ guint web_extensions_allow_tls_certificate_signal_id;
};
enum
@@ -272,6 +273,26 @@ web_extension_remove_from_overview (GDBusConnection *connection,
}
static void
+web_extension_allow_tls_certificate (GDBusConnection *connection,
+ const char *sender_name,
+ const char *object_path,
+ const char *interface_name,
+ const char *signal_name,
+ GVariant *parameters,
+ EphyEmbedShell *shell)
+{
+ EphyWebExtensionProxy *web_extension;
+ guint64 page_id;
+
+ web_extension = ephy_embed_shell_find_web_extension (shell, sender_name);
+ if (!web_extension)
+ return;
+
+ g_variant_get (parameters, "(t)", &page_id);
+ ephy_web_extension_proxy_allow_tls_certificate (web_extension, page_id);
+}
+
+static void
web_extension_destroyed (EphyEmbedShell *shell,
GObject *web_extension)
{
@@ -545,6 +566,17 @@ ephy_embed_shell_setup_web_extensions_connection (EphyEmbedShell *shell)
(GDBusSignalCallback)web_extension_remove_from_overview,
shell,
NULL);
+ shell->priv->web_extensions_allow_tls_certificate_signal_id =
+ g_dbus_connection_signal_subscribe (shell->priv->bus,
+ NULL,
+ EPHY_WEB_EXTENSION_INTERFACE,
+ "AllowTLSCertificate",
+ EPHY_WEB_EXTENSION_OBJECT_PATH,
+ NULL,
+ G_DBUS_SIGNAL_FLAGS_NONE,
+ (GDBusSignalCallback)web_extension_allow_tls_certificate,
+ shell,
+ NULL);
}
static void
@@ -646,6 +678,11 @@ ephy_embed_shell_shutdown (GApplication* application)
priv->web_extensions_remove_from_overview_signal_id = 0;
}
+ if (priv->web_extensions_allow_tls_certificate_signal_id > 0) {
+ g_dbus_connection_signal_unsubscribe (priv->bus, priv->web_extensions_allow_tls_certificate_signal_id);
+ priv->web_extensions_allow_tls_certificate_signal_id = 0;
+ }
+
g_list_foreach (priv->web_extensions, (GFunc)ephy_embed_shell_unwatch_web_extension, application);
g_object_unref (ephy_embed_prefs_get_settings ());
diff --git a/embed/ephy-web-extension-proxy.c b/embed/ephy-web-extension-proxy.c
index 5787fd7..7254be0 100644
--- a/embed/ephy-web-extension-proxy.c
+++ b/embed/ephy-web-extension-proxy.c
@@ -36,6 +36,7 @@ struct _EphyWebExtensionProxyPrivate
enum
{
FORM_AUTH_DATA_SAVE_REQUESTED,
+ ALLOW_TLS_CERTIFICATE,
LAST_SIGNAL
};
@@ -109,6 +110,22 @@ ephy_web_extension_proxy_class_init (EphyWebExtensionProxyClass *klass)
G_TYPE_STRING,
G_TYPE_STRING);
+ /**
+ * EphyWebExtensionProxy::allow-tls-certificate:
+ * @shell: the #EphyWebExtensionProxy
+ *
+ * Emitted when the web extension requests an exception be
+ * permitted for the invalid TLS certificate on the current page.
+ */
+ signals[ALLOW_TLS_CERTIFICATE] =
+ g_signal_new ("allow-tls-certificate",
+ EPHY_TYPE_WEB_EXTENSION_PROXY,
+ G_SIGNAL_RUN_FIRST,
+ 0, NULL, NULL,
+ g_cclosure_marshal_generic,
+ G_TYPE_NONE, 1,
+ G_TYPE_UINT64);
+
g_type_class_add_private (object_class, sizeof (EphyWebExtensionProxyPrivate));
}
@@ -228,6 +245,15 @@ ephy_web_extension_proxy_form_auth_data_save_confirmation_response (EphyWebExten
NULL, NULL);
}
+void
+ephy_web_extension_proxy_allow_tls_certificate (EphyWebExtensionProxy *web_extension,
+ guint64 page_id)
+{
+ g_return_if_fail (EPHY_IS_WEB_EXTENSION_PROXY (web_extension));
+
+ g_signal_emit (web_extension, signals[ALLOW_TLS_CERTIFICATE], 0, page_id);
+}
+
static void
has_modified_forms_cb (GDBusProxy *proxy,
GAsyncResult *result,
diff --git a/embed/ephy-web-extension-proxy.h b/embed/ephy-web-extension-proxy.h
index 094a544..99afcfb 100644
--- a/embed/ephy-web-extension-proxy.h
+++ b/embed/ephy-web-extension-proxy.h
@@ -66,6 +66,8 @@ void ephy_web_extension_proxy_form_auth_save_requested
void ephy_web_extension_proxy_form_auth_data_save_confirmation_response
(EphyWebExtensionProxy *web_extension,
guint
request_id,
gboolean
response);
+void ephy_web_extension_proxy_allow_tls_certificate
(EphyWebExtensionProxy *web_extension,
+ guint64
page_id);
void ephy_web_extension_proxy_web_page_has_modified_forms
(EphyWebExtensionProxy *web_extension,
guint64
page_id,
GCancellable
*cancellable,
diff --git a/embed/ephy-web-view.c b/embed/ephy-web-view.c
index 62eaa18..1c0e342 100644
--- a/embed/ephy-web-view.c
+++ b/embed/ephy-web-view.c
@@ -2,7 +2,7 @@
/* vim: set sw=2 ts=2 sts=2 et: */
/*
* Copyright © 2008, 2009 Gustavo Noronha Silva
- * Copyright © 2009, 2010 Igalia S.L.
+ * Copyright © 2009, 2010, 2014 Igalia S.L.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -107,6 +107,9 @@ struct _EphyWebViewPrivate {
GTlsCertificate *certificate;
GTlsCertificateFlags tls_errors;
+ gboolean loading_tls_error_page;
+ char *tls_error_page_host;
+
/* Web Extension */
EphyWebExtensionProxy *web_extension;
};
@@ -696,6 +699,25 @@ form_auth_data_save_requested (EphyWebExtensionProxy *web_extension,
}
static void
+allow_tls_certificate_cb (EphyWebExtensionProxy *shell,
+ guint64 page_id,
+ EphyWebView *web_view)
+{
+ EphyWebViewPrivate *priv = web_view->priv;
+
+ if (webkit_web_view_get_page_id (WEBKIT_WEB_VIEW (web_view)) != page_id)
+ return;
+
+ g_return_if_fail (G_IS_TLS_CERTIFICATE (priv->certificate));
+ g_return_if_fail (priv->tls_error_page_host != NULL);
+
+ webkit_web_context_allow_tls_certificate_for_host (webkit_web_context_get_default (),
+ priv->certificate,
+ priv->tls_error_page_host);
+ ephy_web_view_load_url (web_view, ephy_web_view_get_address (web_view));
+}
+
+static void
page_created_cb (EphyEmbedShell *shell,
guint64 page_id,
EphyWebExtensionProxy *web_extension,
@@ -712,6 +734,10 @@ page_created_cb (EphyEmbedShell *shell,
g_signal_connect (priv->web_extension, "form-auth-data-save-requested",
G_CALLBACK (form_auth_data_save_requested),
web_view);
+
+ g_signal_connect (priv->web_extension, "allow-tls-certificate",
+ G_CALLBACK (allow_tls_certificate_cb),
+ web_view);
}
static void
@@ -757,6 +783,7 @@ ephy_web_view_finalize (GObject *object)
g_free (priv->typed_address);
g_free (priv->link_message);
g_free (priv->loading_message);
+ g_free (priv->tls_error_page_host);
G_OBJECT_CLASS (ephy_web_view_parent_class)->finalize (object);
}
@@ -1582,14 +1609,20 @@ load_changed_cb (WebKitWebView *web_view,
ephy_web_view_location_changed (view, uri);
/* Security status. */
- g_clear_object (&priv->certificate);
- if (webkit_web_view_get_tls_info (web_view, &priv->certificate, &priv->tls_errors)) {
- g_object_ref (priv->certificate);
- security_level = priv->tls_errors == 0 ?
- EPHY_WEB_VIEW_STATE_IS_SECURE_HIGH : EPHY_WEB_VIEW_STATE_IS_BROKEN;
- }
+ if (priv->loading_tls_error_page) {
+ priv->loading_tls_error_page = FALSE;
+ } else {
+ g_clear_object (&priv->certificate);
+ g_clear_pointer (&priv->tls_error_page_host, g_free);
+
+ if (webkit_web_view_get_tls_info (web_view, &priv->certificate, &priv->tls_errors)) {
+ g_object_ref (priv->certificate);
+ security_level = priv->tls_errors == 0 ?
+ EPHY_WEB_VIEW_STATE_IS_SECURE_HIGH : EPHY_WEB_VIEW_STATE_IS_BROKEN;
+ }
- ephy_web_view_set_security_level (EPHY_WEB_VIEW (web_view), security_level);
+ ephy_web_view_set_security_level (EPHY_WEB_VIEW (web_view), security_level);
+ }
/* History. */
if (!ephy_web_view_is_history_frozen (view)) {
@@ -1691,6 +1724,104 @@ get_style_sheet (void)
return sheet;
}
+static char *
+detailed_message_from_tls_errors (GTlsCertificateFlags tls_errors)
+{
+ GPtrArray *errors = g_ptr_array_new ();
+ char *retval;
+
+ if (tls_errors & G_TLS_CERTIFICATE_BAD_IDENTITY) {
+ /* Possible error message when a site presents a bad certificate. */
+ g_ptr_array_add (errors, _("This web site presented identification that belongs to a different web
site."));
+ }
+
+ if (tls_errors & G_TLS_CERTIFICATE_EXPIRED) {
+ /* Possible error message when a site presents a bad certificate. */
+ g_ptr_array_add (errors, _("This web site’s identification is too old to trust. Check the date on your
computer’s calendar."));
+ }
+
+ if (tls_errors & G_TLS_CERTIFICATE_UNKNOWN_CA) {
+ /* Possible error message when a site presents a bad certificate. */
+ g_ptr_array_add (errors, _("This web site’s identification was not issued by a trusted organization."));
+ }
+
+ if (tls_errors & G_TLS_CERTIFICATE_GENERIC_ERROR) {
+ /* Possible error message when a site presents a bad certificate. */
+ g_ptr_array_add (errors, _("This web site’s identification could not be processed. It may be
corrupted."));
+ }
+
+ if (tls_errors & G_TLS_CERTIFICATE_REVOKED) {
+ /* Possible error message when a site presents a bad certificate. */
+ g_ptr_array_add (errors, _("This web site’s identification has been revoked by the trusted organization
that issued it."));
+ }
+
+ if (tls_errors & G_TLS_CERTIFICATE_INSECURE) {
+ /* Possible error message when a site presents a bad certificate. */
+ g_ptr_array_add (errors, _("This web site’s identification uses very weak encryption. It has probably
been forged."));
+ }
+
+ if (tls_errors & G_TLS_CERTIFICATE_NOT_ACTIVATED) {
+ /* Possible error message when a site presents a bad certificate. */
+ g_ptr_array_add (errors, _("This web site’s identification time-travelled from the future. Check the
date on your computer’s calendar."));
+ }
+
+ if (errors->len == 1) {
+ retval = g_strdup (g_ptr_array_index (errors, 0));
+ } else if (errors->len > 1) {
+ GString *message = g_string_new ("<ul>");
+ guint i;
+
+ for (i = 0; i < errors->len; i++) {
+ g_string_append_printf (message, "<li>%s</li>", (char *)g_ptr_array_index (errors, i));
+ }
+
+ g_string_append (message, "</ul>");
+ retval = g_string_free (message, FALSE);
+ } else {
+ g_assert_not_reached ();
+ }
+
+ g_ptr_array_free (errors, TRUE);
+
+ return retval;
+}
+
+static char *
+get_tls_error_page_message (EphyWebView *view, const char *hostname)
+{
+ EphyWebViewPrivate *priv = view->priv;
+ char *msg;
+ char *bold_hostname;
+ char *details;
+ char *warning;
+
+ bold_hostname = g_strconcat ("<strong>", hostname, "</strong>", NULL);
+ details = detailed_message_from_tls_errors (priv->tls_errors);
+ /* Message when a site's TLS certificate is invalid. %s is the site's hostname. */
+ warning = g_strdup_printf (_("This might not be the real %s."), bold_hostname);
+
+ msg = g_strdup_printf ("<p>%s</p><p>%s</p><p>%s</p><p>%s <strong>%s</strong></p>",
+ warning,
+ /* Message when a site's TLS certificate is invalid. */
+ _("When you try to connect securely, web sites present "
+ "identification to prove that your connection has not been "
+ "maliciously intercepted. There is something wrong with "
+ "this site’s identification:"),
+ details,
+ /* Message when a site's TLS certificate is invalid. */
+ _("A criminal organization or government agency may have hijacked "
+ "your connection. You should continue only if you know there is "
+ "a good reason why this site does not use trusted identification."),
+ /* Good advice from Firefox; displays when a site's TLS certificate is invalid. */
+ _("Legitimate banks, stores, and other public sites will "
+ "not ask you to do this."));
+ g_free (bold_hostname);
+ g_free (details);
+ g_free (warning);
+
+ return msg;
+}
+
/**
* ephy_web_view_load_error_page:
* @view: an #EphyWebView
@@ -1716,6 +1847,7 @@ ephy_web_view_load_error_page (EphyWebView *view,
char *msg;
char *button_label;
char *stylesheet;
+ char *load_anyway_js = NULL;
const char *custom_class;
GBytes *html_file;
@@ -1768,6 +1900,17 @@ ephy_web_view_load_error_page (EphyWebView *view,
button_label = g_strdup (_("Reload Anyway"));
custom_class = "process-crash";
break;
+ case EPHY_WEB_VIEW_ERROR_INVALID_TLS_CERTIFICATE:
+ /* Page title when a site cannot be loaded. %s is the site's hostname. */
+ page_title = g_strdup_printf (_("Problem loading “%s”"), hostname);
+ /* Title of error page when a website's TLS certificate is invalid. */
+ msg_title = g_strdup (_("Look out!"));
+ msg = get_tls_error_page_message (view, hostname);
+ /* Button on error page when a website's TLS certificate is invalid. */
+ button_label = g_strdup (_("Load Anyway"));
+ custom_class = "tls-error";
+ load_anyway_js = g_strdup ("EpiphanyTLSCertificateErrorPage.allowException();");
+ break;
default:
return;
break;
@@ -1777,13 +1920,17 @@ ephy_web_view_load_error_page (EphyWebView *view,
_ephy_web_view_update_icon (view);
stylesheet = get_style_sheet ();
+
+ if (load_anyway_js == NULL)
+ load_anyway_js = g_strdup_printf ("window.location = '%s';", uri);
+
g_string_printf (html,
g_bytes_get_data (html_file, NULL),
lang, lang,
((gtk_widget_get_default_direction () == GTK_TEXT_DIR_RTL) ? "rtl" : "ltr"),
page_title,
stylesheet,
- uri,
+ load_anyway_js,
custom_class,
msg_title, msg, button_label);
@@ -1791,6 +1938,7 @@ ephy_web_view_load_error_page (EphyWebView *view,
g_free (stylesheet);
g_free (lang);
g_free (page_title);
+ g_free (load_anyway_js);
g_free (msg_title);
g_free (msg);
g_free (button_label);
@@ -1866,6 +2014,31 @@ load_failed_cb (WebKitWebView *web_view,
return FALSE;
}
+static gboolean
+load_failed_with_tls_error_cb (WebKitWebView *web_view,
+ GTlsCertificate *certificate,
+ GTlsCertificateFlags errors,
+ gchar *host,
+ gpointer user_data)
+{
+ EphyWebView *view = EPHY_WEB_VIEW (web_view);
+ EphyWebViewPrivate *priv = view->priv;
+
+ g_clear_object (&priv->certificate);
+ g_clear_pointer (&priv->tls_error_page_host, g_free);
+
+ priv->loading_tls_error_page = TRUE;
+ priv->certificate = g_object_ref (certificate);
+ priv->tls_errors = errors;
+ priv->tls_error_page_host = g_strdup (host);
+ ephy_web_view_set_security_level (EPHY_WEB_VIEW (web_view), EPHY_WEB_VIEW_STATE_IS_BROKEN);
+ ephy_web_view_load_error_page (EPHY_WEB_VIEW (web_view),
+ webkit_web_view_get_uri (web_view),
+ EPHY_WEB_VIEW_ERROR_INVALID_TLS_CERTIFICATE, NULL);
+
+ return TRUE;
+}
+
static void
close_web_view_cb (WebKitWebView *web_view,
gpointer user_data)
@@ -1945,6 +2118,10 @@ ephy_web_view_init (EphyWebView *web_view)
G_CALLBACK (load_failed_cb),
NULL);
+ g_signal_connect (web_view, "load-failed-with-tls-errors",
+ G_CALLBACK (load_failed_with_tls_error_cb),
+ NULL);
+
g_signal_connect (web_view, "notify::zoom-level",
G_CALLBACK (zoom_changed_cb),
NULL);
diff --git a/embed/ephy-web-view.h b/embed/ephy-web-view.h
index 78f9a15..fa4bfff 100644
--- a/embed/ephy-web-view.h
+++ b/embed/ephy-web-view.h
@@ -69,7 +69,8 @@ typedef enum
typedef enum {
EPHY_WEB_VIEW_ERROR_PAGE_NETWORK_ERROR,
EPHY_WEB_VIEW_ERROR_PAGE_CRASH,
- EPHY_WEB_VIEW_ERROR_PROCESS_CRASH
+ EPHY_WEB_VIEW_ERROR_PROCESS_CRASH,
+ EPHY_WEB_VIEW_ERROR_INVALID_TLS_CERTIFICATE
} EphyWebViewErrorPage;
struct _EphyWebView
diff --git a/embed/web-extension/ephy-web-extension.c b/embed/web-extension/ephy-web-extension.c
index 75cda3c..44ca976 100644
--- a/embed/web-extension/ephy-web-extension.c
+++ b/embed/web-extension/ephy-web-extension.c
@@ -107,6 +107,9 @@ static const char introspection_xml[] =
" <arg type='s' name='host' direction='in'/>"
" </method>"
" <method name='HistoryClear'/>"
+ " <signal name='AllowTLSCertificate'>"
+ " <arg type='t' name='page_id' direction='out'/>"
+ " </signal>"
" </interface>"
"</node>";
@@ -1245,17 +1248,100 @@ static const GDBusInterfaceVTable interface_vtable = {
NULL
};
+typedef struct {
+ EphyWebExtension *extension;
+ guint64 page_id;
+} AllowTLSCertificateData;
+
+static JSValueRef
+allow_tls_certificate_cb (JSContextRef context,
+ JSObjectRef function,
+ JSObjectRef this_object,
+ size_t argument_count,
+ const JSValueRef arguments[],
+ JSValueRef *exception)
+{
+ AllowTLSCertificateData *data;
+ EphyWebExtension *extension;
+ GError *error = NULL;
+
+ data = (AllowTLSCertificateData *)JSObjectGetPrivate (this_object);
+ extension = data->extension;
+
+ if (!extension->priv->dbus_connection)
+ return;
+
+ g_dbus_connection_emit_signal (extension->priv->dbus_connection,
+ NULL,
+ EPHY_WEB_EXTENSION_OBJECT_PATH,
+ EPHY_WEB_EXTENSION_INTERFACE,
+ "AllowTLSCertificate",
+ g_variant_new ("(t)", data->page_id),
+ &error);
+
+ if (error) {
+ g_warning ("Error emitting signal AllowTLSCertificate: %s\n", error->message);
+ g_error_free (error);
+ }
+
+ return JSValueMakeUndefined (context);
+}
+
+static const JSStaticFunction tls_certificate_error_page_static_funcs[] =
+{
+ { "allowException", allow_tls_certificate_cb, kJSPropertyAttributeReadOnly |
kJSPropertyAttributeDontDelete },
+ { NULL, NULL, 0 }
+};
+
static void
-window_object_cleared_cb (WebKitScriptWorld *world,
- WebKitWebPage *web_page,
- WebKitFrame *frame,
- EphyWebExtension *extension)
+tls_certificate_error_page_finalize (JSObjectRef object)
+{
+ g_slice_free (AllowTLSCertificateData, JSObjectGetPrivate (object));
+}
+
+static void
+prepare_certificate_exception_js (WebKitScriptWorld *world,
+ WebKitWebPage *web_page,
+ WebKitFrame *frame,
+ EphyWebExtension *extension)
{
JSGlobalContextRef context;
- EphyWebOverview *overview;
+ JSObjectRef global_object;
+ JSClassDefinition class_def;
+ JSClassRef class;
+ JSObjectRef class_object;
+ JSStringRef str;
+ AllowTLSCertificateData *data;
- if (g_strcmp0 (webkit_web_page_get_uri (web_page), "ephy-about:overview") != 0)
- return;
+ context = webkit_frame_get_javascript_context_for_script_world (frame, world);
+ global_object = JSContextGetGlobalObject (context);
+
+ class_def = kJSClassDefinitionEmpty;
+ class_def.className = "EpiphanyTLSCertificateErrorPage";
+ class_def.staticFunctions = tls_certificate_error_page_static_funcs;
+ class_def.finalize = tls_certificate_error_page_finalize;
+
+ data = g_slice_alloc (sizeof (AllowTLSCertificateData));
+ data->extension = extension;
+ data->page_id = webkit_web_page_get_id (web_page);
+
+ class = JSClassCreate (&class_def);
+ class_object = JSObjectMake (context, class, data);
+ str = JSStringCreateWithUTF8CString ("EpiphanyTLSCertificateErrorPage");
+ JSObjectSetProperty (context, global_object, str, class_object, kJSPropertyAttributeNone, NULL);
+
+ JSClassRelease (class);
+ JSStringRelease (str);
+}
+
+static void
+prepare_overview (WebKitScriptWorld *world,
+ WebKitWebPage *web_page,
+ WebKitFrame *frame,
+ EphyWebExtension *extension)
+{
+ EphyWebOverview *overview;
+ JSGlobalContextRef context;
overview = ephy_web_overview_new (web_page, extension->priv->overview_model);
g_signal_connect (overview, "item-removed",
@@ -1266,6 +1352,35 @@ window_object_cleared_cb (WebKitScriptWorld *world,
}
static void
+window_object_cleared_cb (WebKitScriptWorld *world,
+ WebKitWebPage *web_page,
+ WebKitFrame *frame,
+ EphyWebExtension *extension)
+{
+ WebKitDOMDocument *dom_document;
+ WebKitDOMHTMLElement *html_element;
+ char *dom_url;
+
+ if (g_strcmp0 (webkit_web_page_get_uri (web_page), "ephy-about:overview") == 0) {
+ prepare_overview (world, web_page, frame, extension);
+ return;
+ }
+
+ dom_document = webkit_web_page_get_dom_document (web_page);
+ dom_url = webkit_dom_document_get_url (dom_document);
+
+ /* If webkit_web_page_get_uri is not about:blank and webkit_dom_document_get_url is
+ * about:blank, we are likely loading alternate content, so it's safe to make the
+ * certificate exception js available. This is needed by the TLS error page. */
+ if (g_strcmp0 (webkit_web_page_get_uri (web_page), "about:blank") != 0 &&
+ g_strcmp0 (dom_url, "about:blank") == 0) {
+ prepare_certificate_exception_js (world, web_page, frame, extension);
+ }
+
+ g_free (dom_url);
+}
+
+static void
ephy_web_extension_dispose (GObject *object)
{
EphyWebExtension *extension = EPHY_WEB_EXTENSION (object);
diff --git a/src/ephy-shell.c b/src/ephy-shell.c
index 00f1998..b16acdb 100644
--- a/src/ephy-shell.c
+++ b/src/ephy-shell.c
@@ -583,6 +583,9 @@ ephy_shell_init (EphyShell *shell)
G_CALLBACK (download_started_cb),
shell);
+ /* Do not ignore TLS errors. */
+ webkit_web_context_set_tls_errors_policy (web_context, WEBKIT_TLS_ERRORS_POLICY_FAIL);
+
/* Initialize the favicon cache as early as possible, or further
calls to webkit_web_context_get_favicon_database will fail. */
mode = ephy_embed_shell_get_mode (ephy_embed_shell_get_default ());
diff --git a/src/resources/error.html b/src/resources/error.html
index 56411b6..8b60b0f 100644
--- a/src/resources/error.html
+++ b/src/resources/error.html
@@ -25,7 +25,7 @@
<script type="text/javascript">
function load_anyway()
{
- window.location = '%s';
+ %s
}
</script>
</head>
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
