Details
-
Suggestion
-
Resolution: Fixed
-
Not Evaluated
-
None
-
None
-
c18dfe70f (dev)
Description
Consider a website like this, loading a subresource from a host with an invalid certificate:
<!DOCTYPE html>
<html>
<body>
<img src="https://expired.badssl.com">
</body>
</html>
Hosted here for convenience: https://qutebrowser.org/tmp/resource.html
In Chromium (or other common browsers), no prompt will be shown for certificate errors in resources, the console only shows "Failed to load resource: net::ERR_CERT_DATE_INVALID".
With e.g. simplebrowser, a certificate error will be shown (which sounds like the website itself failed loading).
Either QtWebEngine shouldn't call the method at all for resources and instead silently block them (though that sounds a bit backwards incompatible); or it should provide a way for the application to check whether this is a third-party request, e.g. by providing something like QWebEngineCertificateError::firstPartyUrl().
Note that QWebEnginePage::url() won't work: If a certificate error occurs for a page after a link has been clicked, it still contains the old URL. As an example, when adding qDebug() << url(); to WebPage::certificateError in simplebrowser and clicking the "Link to badssl" link on the above (hosted) test page, the URL is still the old one, thus we'd mistakenly assume this was a resource load...