Chromium Embedded Framework Forum

[alexeibs]

Hi all.

My question is about verificatiion SSL certificates by a custom callback. CefRequestHandler allows CEF users to do it and recently this feature has been improved. Now callback receives CefSSLInfo structure and is able to compare fingerprints, for example. I tried to implement this in my application and it seemed working but later I noticed that each document had not loaded some random resources. These resources were marked as canceled in DevTools. I've found the source of this error: https://bitbucket.org/chromiumembedded/cef/src/a82110b31ec719177c4716bcd3e00c41fa99fb43/libcef/browser/content_browser_client.cc?at=master#cl-739
The callback is called only for the main frame. Marshall could you explain this behavior please? Why can't the if block be replaced with a single line:

Code: Select all

*result = content::CERTIFICATE_REQUEST_RESULT_TYPE_CANCEL;

[magreenblatt]

I tried to implement this in my application and it seemed working but later I noticed that each document had not loaded some random resources. These resources were marked as canceled in DevTools.

Where are the canceled resources being loaded from? Is it the same HTTPS page as the main frame?

I've found the source of this error: https://bitbucket.org/chromiumembedded/cef/src/a82110b31ec719177c4716bcd3e00c41fa99fb43/libcef/browser/content_browser_client.cc?at=master#cl-739
The callback is called only for the main frame. Marshall could you explain this behavior please?

This behavior is the same as in Google Chrome: https://code.google.com/p/chromium/code ... .cc&l=1665

[alexeibs]

Where are the canceled resources being loaded from? Is it the same HTTPS page as the main frame?

I'm not sure about who initiates loading of those resources. They are loaded dynamically by javascript code. And this code is actually Java-code compiled with GWT. A standard page looks like this:

Code: Select all

<!DOCTYPE html>
<html>
   <head>
      <title>Title</title>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   </head>
   <!--                                           -->
   <!-- The body can have arbitrary html, or      -->
   <!-- you can leave the body empty if you want  -->
   <!-- to create a completely dynamic ui         -->
   <!--                                                         -->
   <body>
      <!-- OPTIONAL: include this if you want history support -->
      <iframe src="javascript:''" id="__gwt_historyFrame" style="width:0;height:0;border:0;display:none"></iframe>
         <script type="text/javascript" src="moduleName.nocache.js"></script>
      <div id="main"> </div>
      <div id='reqView' style='position:absolute; top: 15px; text-align: center; left: 0px; right: 0px; display: none;white-space:nowrap'></div>
   </body>
</html>

It has an iframe. Can the iframe cause the bug?

This behavior is the same as in Google Chrome:

I think Chrome does this check because it shows a warning about an invalid certificate instead of a main frame. And it shows the warning only once. At the same time the method CefContentBrowserClient::AllowCertificateError is called every time the page is reloading.

[magreenblatt]

Where are the canceled resources being loaded from? Is it the same HTTPS page as the main frame?

I'm not sure about who initiates loading of those resources. They are loaded dynamically by javascript code. And this code is actually Java-code compiled with GWT.

To rephrase my question: Are the resources loaded from the same origin (scheme + domain) as the main frame for which AllowCertificateError was called the first time?

[alexeibs]

Where are the canceled resources being loaded from? Is it the same HTTPS page as the main frame?

I'm not sure about who initiates loading of those resources. They are loaded dynamically by javascript code. And this code is actually Java-code compiled with GWT.

To rephrase my question: Are the resources loaded from the same origin (scheme + domain) as the main frame for which AllowCertificateError was called the first time?

All resources are loaded from the same origin.

[magreenblatt]

All resources are loaded from the same origin.

OK, please add an issue to the CEF issue tracker.

[alexeibs]

Issue #1590
https://bitbucket.org/chromiumembedded/cef/issue/1590/problem-with-ssl-certificate-verification