GNOME Bugzilla – Bug 751709
Port to webkit2gtk-4.0
Last modified: 2016-06-19 06:07:55 UTC
This is a minimal-ish port which on the surface works for me. There are a couple of caveats. - It seems like the Facebook publishing doesn't work for me at the minute even without this patch (fails to create an album) - API update required? - Can't read Yandex so can't test it. :) - On Ubuntu Wily Facebook's TLS cert doesn't verify with wk2, https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1469803 - use Vivid. A basis to start work on WK2, maybe.
Created attachment 306384 [details] [review] Port to webkit2gtk-4.0
Created attachment 306385 [details] [review] Port to webkit2gtk-4.0
(In reply to Iain Lane from comment #0) > - It seems like the Facebook publishing doesn't work for me at the minute > even without this patch (fails to create an album) - API update required? bug #748991 (thanks Seb)
(In reply to Iain Lane from comment #0) > - On Ubuntu Wily Facebook's TLS cert doesn't verify with wk2, > https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1469803 - > use Vivid. Note, the fact that it doesn't verify "with wk2" indicates that there is very likely no verification occurring at all in wk1, where apps have to handle this themselves (and usually do so incorrectly). That is... unimpressive. Anyway, you can fix the issue with wk2 in Ubuntu by restoring the 1024-bit GTE CyberTrust Global Root certificate that you removed from your ca-certificates package. See point (2) under [1], but replace "a few months" in that email with "until 2017." There is a GNOME bug here, bug #750457, but it's not a priority for me to look at since I use Fedora, which has taken pains not to break things with ca-certificates updates [2]. Basically the problem is that upstream ca-certificates only cares about Firefox, but Firefox is more lenient with certificate chains than GNOME is. (OpenSSL will also have been broken by that change.) [1] https://mail.gnome.org/archives/distributor-list/2014-September/msg00000.html [2] https://fedoraproject.org/wiki/CA-Certificates
Review of attachment 306385 [details] [review]: ::: plugins/common/RESTSupport.vala @@ +748,1 @@ webview_frame.add(webview); What is webview_frame? if it's a scrolled window, you should remove it and pack the view directly in the parent container, since web view in wk2 is scrollable by itself. @@ +781,3 @@ + on_load_started(); + break; + case WebKit.LoadEvent.FINISHED: If you are only interested in start and finish methods, it's probably better to monitor is-loading property. ::: plugins/shotwell-publishing-extras/YandexPublishing.vala @@ +177,3 @@ + on_load_started(); + break; + case WebKit.LoadEvent.FINISHED: Same here.
Why does the patch disable XSS auditor for Facebook?
I think the patch should be seen as a starting point and right now somebody else should feel free to improve it since I'm not sure I have the time to now or in the close future.
Created attachment 316779 [details] [review] Port to webkit2gtk-4.0
Created attachment 316780 [details] [review] Don't pack webview into a scrolled window The scrollbar is drawn by WebKitWebView in WK2.
Created attachment 316781 [details] [review] Have all soup sessions validate TLS certificates Note that this commit is *not* sufficient to fix certificate verification on its own. The port to WK2 is also required, else WebKit's soup session will not verify certificates.
Created attachment 316782 [details] [review] facebook: Don't disable XSS auditor This is a separate commit to make it possible to revert easily, as I don't know why it was disabled.
mcatanzaro: Hey mclasen, could you or someone else from r-t look at https://bugzilla.gnome.org/show_bug.cgi?id=751709, https://bugzilla.gnome.org/show_bug.cgi?id=754488 bugbot: Bug 751709: shotwell, normal, Normal, ---, shotwell-maint, NEW , Port to webkit2gtk-4.0 bugbot: Bug 754488: shotwell, critical, Normal, ---, shotwell-maint, NEW , Validate TLS certificates mclasen: I don't think there's much we can do tbh. I don't forsee the release team stepping up to do shortwell maintenance mcatanzaro: mclasen: Basically the question is: do I just push the patches, or do we let them sit in Bugzilla forever :) mclasen: I would suggest to push them mcatanzaro: OK then mclasen: thanks for caring mcatanzaro: "caring"
Attachment 316779 [details] pushed as 3ae27fc - Port to webkit2gtk-4.0 Attachment 316780 [details] pushed as a2844fb - Don't pack webview into a scrolled window Attachment 316781 [details] pushed as f045b7a - Have all soup sessions validate TLS certificates Attachment 316782 [details] pushed as b6aad5e - facebook: Don't disable XSS auditor