https://github.com/GNOME/banshee/commit/3e1728264da3af9fb164bb8e27814f2f266e4e0d adds TLS certificate validation, but it's performed in load-changed when the load is committed. That's too late, because the load is not committed until you've followed all HTTP redirects, but if you send an HTTP request before performing certificate validation then you leak the HTTP request to an attacker, including cookies: if you send a session cookie then the attacker can impersonate the user, otherwise it's "just" a loss of privacy of whatever's sent in the cookie.

I'm not sure if the attacker can script the page or not. In WebKit2 the page is loading in another process after load-committed is sent, so it would be a problem. In WebKit1 I imagine that is happening in another thread, so the same problem would exist, but maybe the load is blocked until you've handled the event.

Anyway, to fix this you should check the certificate after the TLS handshake but before performing the first HTTP request. You can probably use WebKitWebView::resource-request-starting, get the SoupMessage from the WebKitNetworkRequest, and then connect to notify::tls-errors since libsoup doesn't really provide any nicer API to do this properly. I haven't tested that though; use Wireshark to make sure that no application data is sent.

Note that in WebKit2 this is all handled for you automatically, so another good solution is to port to WebKit2 and delete your certificate verification code.