diff options
author | Florian Bruhin <me@the-compiler.org> | 2020-05-02 18:54:05 +0200 |
---|---|---|
committer | Florian Bruhin <me@the-compiler.org> | 2020-05-02 19:22:02 +0200 |
commit | a45ca9c788f648d10cccce2af41405bf25ee2948 (patch) | |
tree | 095f297512976264b042b301b432739edf0e39fc | |
parent | a42f37a0c6be5651073754dd6e62cd968df07130 (diff) | |
download | qutebrowser-a45ca9c788f648d10cccce2af41405bf25ee2948.tar.gz qutebrowser-a45ca9c788f648d10cccce2af41405bf25ee2948.zip |
Security: Remember hosts with ignored cert errors for load status
Without this change, we only set a flag when a certificate error occurred.
However, when the same certificate error then happens a second time (e.g.
because of a reload or opening the same URL again), we then colored the URL as
success_https (i.e. green) again.
See #5403
(cherry picked from commit 021ab572a319ca3db5907a33a59774f502b3b975)
-rw-r--r-- | qutebrowser/browser/browsertab.py | 16 | ||||
-rw-r--r-- | qutebrowser/browser/webengine/webenginetab.py | 4 | ||||
-rw-r--r-- | qutebrowser/browser/webkit/webkittab.py | 6 |
3 files changed, 17 insertions, 9 deletions
diff --git a/qutebrowser/browser/browsertab.py b/qutebrowser/browser/browsertab.py index eb67cf091..43d3a32c9 100644 --- a/qutebrowser/browser/browsertab.py +++ b/qutebrowser/browser/browsertab.py @@ -755,6 +755,13 @@ class AbstractTab(QWidget): renderer_process_terminated = pyqtSignal(TerminationStatus, int) predicted_navigation = pyqtSignal(QUrl) + # Hosts for which a certificate error happened. Shared between all tabs. + # + # Note that we remember hosts here, without scheme/port: + # QtWebEngine/Chromium also only remembers hostnames, and certificates are + # for a given hostname anyways. + _insecure_hosts = set() # type: typing.Set[str] + def __init__(self, *, win_id, mode_manager, private, parent=None): self.private = private self.win_id = win_id @@ -771,7 +778,6 @@ class AbstractTab(QWidget): self._layout = miscwidgets.WrapperLayout(self) self._widget = None self._progress = 0 - self._has_ssl_errors = False self._mode_manager = mode_manager self._load_status = usertypes.LoadStatus.none self._mouse_event_filter = mouse.MouseEventFilter( @@ -858,7 +864,6 @@ class AbstractTab(QWidget): @pyqtSlot() def _on_load_started(self): self._progress = 0 - self._has_ssl_errors = False self.data.viewing_source = False self._set_load_status(usertypes.LoadStatus.loading) self.load_started.emit() @@ -917,9 +922,12 @@ class AbstractTab(QWidget): sess_manager = objreg.get('session-manager') sess_manager.save_autosave() - if ok and not self._has_ssl_errors: + if ok: if self.url().scheme() == 'https': - self._set_load_status(usertypes.LoadStatus.success_https) + if self.url().host() in self._insecure_hosts: + self._set_load_status(usertypes.LoadStatus.warn) + else: + self._set_load_status(usertypes.LoadStatus.success_https) else: self._set_load_status(usertypes.LoadStatus.success) elif ok: diff --git a/qutebrowser/browser/webengine/webenginetab.py b/qutebrowser/browser/webengine/webenginetab.py index c84c295bd..8afa9de02 100644 --- a/qutebrowser/browser/webengine/webenginetab.py +++ b/qutebrowser/browser/webengine/webenginetab.py @@ -1336,9 +1336,9 @@ class WebEngineTab(browsertab.AbstractTab): @pyqtSlot(certificateerror.CertificateErrorWrapper) def _on_ssl_errors(self, error): - self._has_ssl_errors = True - url = error.url() + self._insecure_hosts.add(url.host()) + log.webview.debug("Certificate error: {}".format(error)) if error.is_overridable(): diff --git a/qutebrowser/browser/webkit/webkittab.py b/qutebrowser/browser/webkit/webkittab.py index 2edea1777..5e60f7bc1 100644 --- a/qutebrowser/browser/webkit/webkittab.py +++ b/qutebrowser/browser/webkit/webkittab.py @@ -818,9 +818,9 @@ class WebKitTab(browsertab.AbstractTab): if navigation.is_main_frame: self.settings.update_for_url(navigation.url) - @pyqtSlot() - def _on_ssl_errors(self): - self._has_ssl_errors = True + @pyqtSlot('QNetworkReply*') + def _on_ssl_errors(self, reply): + self._insecure_hosts.add(reply.url().host()) def _connect_signals(self): view = self._widget |