Issue metadata
Sign in to add a comment
|
WebViewClient: onReceivedClientCertRequest cert selection
Reported by
kavithac...@gmail.com,
Jul 8 2016
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 Steps to reproduce the problem: From api definition Webview stores the response in memory (for the life of the application) if proceed() or cancel() is called and does not call onReceivedClientCertRequest() again for the same host and port pair. Is there a way to clear this ? since app lifetime seems to be for days we do not want to retain cert selection and also we do prompt for Fingerprint for security reasons and if this mapping is stored for app lifetime we are unable to challenge user more frequently What is the expected behavior? 1) Selection should be as related to webview instance lifetime or 2) Provide a way app can clear this so we can control the frequency. What went wrong? Apps sometime live for days and this poses security concerns. Did this work before? N/A Chrome version: 51.0.2704.103 Channel: n/a OS Version: OS X 10.11.5 Flash Version: Shockwave Flash 22.0 r0 This issue is related to Webview used in Android app. Issue is raised https://code.google.com/p/android/issues/detail?id=215406 , was directed to raise it here.
,
Jul 11 2016
Updating environment we are using : Its webview within android native app on devices with Android OS version M and above.
,
Jul 11 2016
there is the clearClientCertPreferences API. https://developer.android.com/reference/android/webkit/WebView.html#clearClientCertPreferences(java.lang.Runnable) However there are limitations on how deep we can clear the preferences. Particularly various places in network stack can cache the used cert. There is not much we can do about it.
,
Jul 11 2016
,
Oct 18 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by calamity@chromium.org
, Jul 11 2016Components: Mobile>WebView
Labels: -OS-Mac OS-Android