New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 757633 link

Starred by 2 users
Status: Fixed
Owner:
est...@chromium.org
Closed: May 2018
Cc:
jam@chromium.org
lgar...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug
Team-Security-UX

Blocking:
issue 756654



Sign in to add a comment

Define certificate error hooks for network service

Project Member Reported by est...@chromium.org, Aug 21 2017 
For the network service, we need:
1.) A hook to decide what to do when a certificate error occurs (cancel or ignore)
2.) A hook to expose SSLInfo and whether the certificate error should be fatal when a request fails because of a certificate error. For this, we probably want to add the boolean into SSLInfo instead of carrying around a separate boolean on its own.

Comment 1 by est...@chromium.org, Aug 21 2017

Cc: lgar...@chromium.org

Comment 2 by jam@chromium.org, Aug 22 2017

Cc: jam@chromium.org
for 1): I wonder if we had a callback from network service->browser as we discussed, is it ok if network process caches this info indefinitely? I know you mentioned that we only want it to persist for a week. Is it ok to reason that most users would restart the browser more frequently than that, so if this is cached in-memory it's fine? If not I guess the API can take a duration.

for 2) we currently have kURLLoadOptionSendSSLInfo (see url_loader_factory.mojom) that lets the consumer get the SSLInfo. It's off by default since we didn't need that big data in the renderer for subresources. I'd like to understand your proposal of where the hook goes? i.e. if the renderer is making a subresource request, then it would be the one implementing URLLoaderClient and setting the URLLoader options. The certificate info interface would be network process->browser, which is a different path than SSLInfo takes.

Comment 3 by est...@chromium.org, Aug 22 2017 

1) I think caching bypasses in the network process is okay, but I have to double-check what our current behavior is. (It might already be the case that it's tied to browser restart.) But we can't cache cancellations, i.e. if the browser decides to cancel a request because of a certificate error, it might well decide to allow the request if the same error happens again.

2) For this, I just meant that we need to send SSLInfo along with OnComplete. It can be conditional on kSendSSLInfo like for OnReceiveResponse. We wouldn't need to send it on subresources (except, I guess, when DevTools is enabled). We'd only need it on main-frame navigation requests, and even then only when the request fails with a certificate error. Does that sound okay?

Comment 4 by davidben@chromium.org, Aug 22 2017 

I think we actually want the bypass state to ultimately live in the network process anyway. The way it currently works doesn't interact with the socket pools right and even causes livelocks (issue #488043).

Comment 5 by davidben@chromium.org, Aug 22 2017 

(Right now it pretends not to live in the network stack, but it actually partially does by way of the socket pools, so it's kind of a mess all around.)

Comment 6 by jam@chromium.org, Aug 22 2017 

1) sgtm (i.e. only cache approval of ignoring cert errors)
2) ah, if it's not for subresources (other than devtoolos), that's already the case. i.e. we always send SSLInfo for plznavigate-initiated frame requests

Comment 7 by laforge@google.com, Nov 7 2017

Components: Internals>Network>Service

Comment 8 by laforge@google.com, Nov 7 2017

Components: -Internals>Network>Service Internals>Services>Network
Apologies, applied the wrong component in bulk.

Comment 9 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 10 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Comment 11 by jam@chromium.org, May 22 2018

Status: Fixed (was: Assigned)
per discussion with Emily

Sign in to add a comment