Changeset 255461 in webkit

Timestamp:

Jan 30, 2020, 2:53:22 PM (5 years ago)

Author:

achristensen@apple.com

Message:

Add WKNavigationDelegate SPI to disable TLS 1.0 and 1.1
​https://bugs.webkit.org/show_bug.cgi?id=206979

Reviewed by Brady Eidson.

Source/WebCore/PAL:

• pal/spi/cf/CFNetworkSPI.h:

Source/WebKit:

• NetworkProcess/NetworkCORSPreflightChecker.cpp:

(WebKit::NetworkCORSPreflightChecker::didReceiveChallenge):

• NetworkProcess/NetworkCORSPreflightChecker.h:
• NetworkProcess/NetworkDataTask.h:
• NetworkProcess/NetworkLoad.cpp:

(WebKit::NetworkLoad::didReceiveChallenge):

• NetworkProcess/NetworkLoad.h:
• NetworkProcess/NetworkProcessCreationParameters.cpp:

(WebKit::NetworkProcessCreationParameters::encode const):
(WebKit::NetworkProcessCreationParameters::decode):

• NetworkProcess/NetworkProcessCreationParameters.h:
• NetworkProcess/NetworkSessionCreationParameters.cpp:

(WebKit::NetworkSessionCreationParameters::encode const):
(WebKit::NetworkSessionCreationParameters::decode):

• NetworkProcess/NetworkSessionCreationParameters.h:
• NetworkProcess/PingLoad.cpp:

(WebKit::PingLoad::didReceiveChallenge):

• NetworkProcess/PingLoad.h:
• NetworkProcess/cocoa/NetworkDataTaskCocoa.h:
• NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:

(WebKit::NetworkDataTaskCocoa::NetworkDataTaskCocoa):
(WebKit::NetworkDataTaskCocoa::didReceiveChallenge):
(WebKit::NetworkDataTaskCocoa::willPerformHTTPRedirection):

• NetworkProcess/cocoa/NetworkProcessCocoa.mm:

(WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):

• NetworkProcess/cocoa/NetworkSessionCocoa.h:
• NetworkProcess/cocoa/NetworkSessionCocoa.mm:

(processServerTrustEvaluation):
(-[WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:]):
(WebKit::NetworkSessionCocoa::NetworkSessionCocoa):
(WebKit::NetworkSessionCocoa::continueDidReceiveChallenge):

• Shared/Authentication/AuthenticationManager.cpp:

(WebKit::AuthenticationManager::didReceiveAuthenticationChallenge):

• Shared/Authentication/AuthenticationManager.h:
• UIProcess/API/APINavigationClient.h:

(API::NavigationClient::shouldAllowLegacyTLS):

• UIProcess/API/Cocoa/WKNavigationDelegatePrivate.h:
• UIProcess/Cocoa/NavigationState.h:
• UIProcess/Cocoa/NavigationState.mm:

(WebKit::NavigationState::setNavigationDelegate):
(WebKit::systemAllowsLegacyTLSFor):
(WebKit::NavigationState::NavigationClient::shouldAllowLegacyTLS):

• UIProcess/Cocoa/WebProcessPoolCocoa.mm:

(WebKit::WebProcessPool::platformInitializeNetworkProcess):

• UIProcess/Network/NetworkProcessProxy.cpp:

(WebKit::NetworkProcessProxy::didReceiveAuthenticationChallenge):

• UIProcess/Network/NetworkProcessProxy.h:
• UIProcess/Network/NetworkProcessProxy.messages.in:
• UIProcess/WebPageProxy.cpp:
• UIProcess/WebPageProxy.h:
• UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm:

(WebKit::WebsiteDataStore::parameters):

• UIProcess/WebsiteData/WebsiteDataStoreConfiguration.h:

Source/WebKitLegacy/mac:

• WebView/WebView.mm:

(-[WebView _commonInitializationWithFrameName:groupName:]):

Tools:

• MiniBrowser/mac/SettingsController.m:
• TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm:

(-[TLSNavigationDelegate waitForDidFinishNavigation]):
(-[TLSNavigationDelegate waitForDidFailProvisionalNavigation]):
(-[TLSNavigationDelegate receivedShouldAllowLegacyTLS]):
(-[TLSNavigationDelegate webView:didReceiveAuthenticationChallenge:completionHandler:]):
(-[TLSNavigationDelegate webView:didFinishNavigation:]):
(-[TLSNavigationDelegate webView:didFailProvisionalNavigation:withError:]):
(-[TLSNavigationDelegate _webView:authenticationChallenge:shouldAllowLegacyTLS:]):
(TestWebKitAPI::TEST):

Location:

trunk

Files:

• Source/WebCore/PAL/ChangeLog (modified) (1 diff)
• Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h (modified) (2 diffs)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp (modified) (2 diffs)
• Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.h (modified) (1 diff)
• Source/WebKit/NetworkProcess/NetworkDataTask.h (modified) (2 diffs)
• Source/WebKit/NetworkProcess/NetworkLoad.cpp (modified) (2 diffs)
• Source/WebKit/NetworkProcess/NetworkLoad.h (modified) (1 diff)
• Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.cpp (modified) (2 diffs)
• Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.h (modified) (1 diff)
• Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.cpp (modified) (3 diffs)
• Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.h (modified) (1 diff)
• Source/WebKit/NetworkProcess/PingLoad.cpp (modified) (1 diff)
• Source/WebKit/NetworkProcess/PingLoad.h (modified) (1 diff)
• Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.h (modified) (1 diff)
• Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm (modified) (5 diffs)
• Source/WebKit/NetworkProcess/cocoa/NetworkProcessCocoa.mm (modified) (1 diff)
• Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.h (modified) (2 diffs)
• Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm (modified) (7 diffs)
• Source/WebKit/NetworkProcess/curl/NetworkDataTaskCurl.cpp (modified) (3 diffs)
• Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp (modified) (1 diff)
• Source/WebKit/Shared/Authentication/AuthenticationManager.cpp (modified) (2 diffs)
• Source/WebKit/Shared/Authentication/AuthenticationManager.h (modified) (2 diffs)
• Source/WebKit/UIProcess/API/APINavigationClient.h (modified) (1 diff)
• Source/WebKit/UIProcess/API/Cocoa/WKNavigationDelegatePrivate.h (modified) (1 diff)
• Source/WebKit/UIProcess/Cocoa/NavigationState.h (modified) (2 diffs)
• Source/WebKit/UIProcess/Cocoa/NavigationState.mm (modified) (3 diffs)
• Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm (modified) (1 diff)
• Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp (modified) (4 diffs)
• Source/WebKit/UIProcess/Network/NetworkProcessProxy.h (modified) (1 diff)
• Source/WebKit/UIProcess/Network/NetworkProcessProxy.messages.in (modified) (1 diff)
• Source/WebKit/UIProcess/WebPageProxy.cpp (modified) (2 diffs)
• Source/WebKit/UIProcess/WebPageProxy.h (modified) (2 diffs)
• Source/WebKit/UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm (modified) (2 diffs)
• Source/WebKit/UIProcess/WebsiteData/WebsiteDataStoreConfiguration.h (modified) (1 diff)
• Source/WebKitLegacy/mac/ChangeLog (modified) (1 diff)
• Source/WebKitLegacy/mac/WebView/WebView.mm (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm (modified) (4 diffs)

trunk/Source/WebCore/PAL/ChangeLog

@@ +1 @@
+2020-01-30  Alex Christensen  <achristensen@webkit.org>
+
+        Add WKNavigationDelegate SPI to disable TLS 1.0 and 1.1
+        https://bugs.webkit.org/show_bug.cgi?id=206979
+
+        Reviewed by Brady Eidson.
+
+        * pal/spi/cf/CFNetworkSPI.h:
+
 2020-01-30  Jonathan Bedard  <jbedard@apple.com>
 

trunk/Source/WebCore/PAL/pal/spi/cf/CFNetworkSPI.h

@@ -108 +108 @@
 
 #if defined(__OBJC__)
+
+@interface NSURLSessionTask ()
+@property (readonly, retain) NSURLSessionTaskMetrics* _incompleteTaskMetrics;
+@end
 
 @interface NSURLCache ()
@@ -401 +405 @@
 @interface NSURLSessionTask ()
 - (void)_setExplicitCookieStorage:(CFHTTPCookieStorageRef)storage;
+@property (readonly) SSLProtocol _TLSNegotiatedProtocolVersion;
 @end
 

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2020-01-30  Alex Christensen  <achristensen@webkit.org>
+
+        Add WKNavigationDelegate SPI to disable TLS 1.0 and 1.1
+        https://bugs.webkit.org/show_bug.cgi?id=206979
+
+        Reviewed by Brady Eidson.
+
+        * NetworkProcess/NetworkCORSPreflightChecker.cpp:
+        (WebKit::NetworkCORSPreflightChecker::didReceiveChallenge):
+        * NetworkProcess/NetworkCORSPreflightChecker.h:
+        * NetworkProcess/NetworkDataTask.h:
+        * NetworkProcess/NetworkLoad.cpp:
+        (WebKit::NetworkLoad::didReceiveChallenge):
+        * NetworkProcess/NetworkLoad.h:
+        * NetworkProcess/NetworkProcessCreationParameters.cpp:
+        (WebKit::NetworkProcessCreationParameters::encode const):
+        (WebKit::NetworkProcessCreationParameters::decode):
+        * NetworkProcess/NetworkProcessCreationParameters.h:
+        * NetworkProcess/NetworkSessionCreationParameters.cpp:
+        (WebKit::NetworkSessionCreationParameters::encode const):
+        (WebKit::NetworkSessionCreationParameters::decode):
+        * NetworkProcess/NetworkSessionCreationParameters.h:
+        * NetworkProcess/PingLoad.cpp:
+        (WebKit::PingLoad::didReceiveChallenge):
+        * NetworkProcess/PingLoad.h:
+        * NetworkProcess/cocoa/NetworkDataTaskCocoa.h:
+        * NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
+        (WebKit::NetworkDataTaskCocoa::NetworkDataTaskCocoa):
+        (WebKit::NetworkDataTaskCocoa::didReceiveChallenge):
+        (WebKit::NetworkDataTaskCocoa::willPerformHTTPRedirection):
+        * NetworkProcess/cocoa/NetworkProcessCocoa.mm:
+        (WebKit::NetworkProcess::platformInitializeNetworkProcessCocoa):
+        * NetworkProcess/cocoa/NetworkSessionCocoa.h:
+        * NetworkProcess/cocoa/NetworkSessionCocoa.mm:
+        (processServerTrustEvaluation):
+        (-[WKNetworkSessionDelegate URLSession:task:didReceiveChallenge:completionHandler:]):
+        (WebKit::NetworkSessionCocoa::NetworkSessionCocoa):
+        (WebKit::NetworkSessionCocoa::continueDidReceiveChallenge):
+        * Shared/Authentication/AuthenticationManager.cpp:
+        (WebKit::AuthenticationManager::didReceiveAuthenticationChallenge):
+        * Shared/Authentication/AuthenticationManager.h:
+        * UIProcess/API/APINavigationClient.h:
+        (API::NavigationClient::shouldAllowLegacyTLS):
+        * UIProcess/API/Cocoa/WKNavigationDelegatePrivate.h:
+        * UIProcess/Cocoa/NavigationState.h:
+        * UIProcess/Cocoa/NavigationState.mm:
+        (WebKit::NavigationState::setNavigationDelegate):
+        (WebKit::systemAllowsLegacyTLSFor):
+        (WebKit::NavigationState::NavigationClient::shouldAllowLegacyTLS):
+        * UIProcess/Cocoa/WebProcessPoolCocoa.mm:
+        (WebKit::WebProcessPool::platformInitializeNetworkProcess):
+        * UIProcess/Network/NetworkProcessProxy.cpp:
+        (WebKit::NetworkProcessProxy::didReceiveAuthenticationChallenge):
+        * UIProcess/Network/NetworkProcessProxy.h:
+        * UIProcess/Network/NetworkProcessProxy.messages.in:
+        * UIProcess/WebPageProxy.cpp:
+        * UIProcess/WebPageProxy.h:
+        * UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm:
+        (WebKit::WebsiteDataStore::parameters):
+        * UIProcess/WebsiteData/WebsiteDataStoreConfiguration.h:
+
 2020-01-30  Tim Horton  <timothy_horton@apple.com>
 

trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp

@@ -89 +89 @@
 }
 
-void NetworkCORSPreflightChecker::didReceiveChallenge(WebCore::AuthenticationChallenge&& challenge, ChallengeCompletionHandler&& completionHandler)
+void NetworkCORSPreflightChecker::didReceiveChallenge(WebCore::AuthenticationChallenge&& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler)
 {
     RELEASE_LOG_IF_ALLOWED("didReceiveChallenge, authentication scheme: %u", challenge.protectionSpace().authenticationScheme());
@@ -102 +102 @@
     }
 
-    m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(m_parameters.sessionID, m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, WTFMove(completionHandler));
+    m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(m_parameters.sessionID, m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, negotiatedLegacyTLS, WTFMove(completionHandler));
 }
 

trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.h

@@ -69 +69 @@
 private:
     void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&&) final;
-    void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&) final;
+    void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&) final;
     void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&) final;
     void didReceiveData(Ref<WebCore::SharedBuffer>&&) final;

trunk/Source/WebKit/NetworkProcess/NetworkDataTask.h

@@ -53 +53 @@
 class PendingDownload;
 enum class AuthenticationChallengeDisposition : uint8_t;
+enum class NegotiatedLegacyTLS : bool;
 
 using RedirectCompletionHandler = CompletionHandler<void(WebCore::ResourceRequest&&)>;
@@ -61 +62 @@
 public:
     virtual void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&&) = 0;
-    virtual void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&) = 0;
+    virtual void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&) = 0;
     virtual void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&) = 0;
     virtual void didReceiveData(Ref<WebCore::SharedBuffer>&&) = 0;

trunk/Source/WebKit/NetworkProcess/NetworkLoad.cpp

@@ -188 +188 @@
 }
 
-void NetworkLoad::didReceiveChallenge(AuthenticationChallenge&& challenge, ChallengeCompletionHandler&& completionHandler)
+void NetworkLoad::didReceiveChallenge(AuthenticationChallenge&& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler)
 {
     m_client.get().didReceiveChallenge(challenge);
@@ -204 +204 @@
         m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(*pendingDownload, challenge, WTFMove(completionHandler));
     else
-        m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(m_task->sessionID(), m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, WTFMove(completionHandler));
+        m_networkProcess->authenticationManager().didReceiveAuthenticationChallenge(m_task->sessionID(), m_parameters.webPageProxyID, m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, negotiatedLegacyTLS, WTFMove(completionHandler));
 }
 

trunk/Source/WebKit/NetworkProcess/NetworkLoad.h

@@ -74 +74 @@
     // NetworkDataTaskClient
     void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&&) final;
-    void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&) final;
+    void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&) final;
     void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&) final;
     void didReceiveData(Ref<WebCore::SharedBuffer>&&) final;

trunk/Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.cpp

@@ -78 +78 @@
     encoder << hstsStorageDirectory;
     encoder << hstsStorageDirectoryExtensionHandle;
-    encoder << enableLegacyTLS;
 }
 
@@ -180 +179 @@
     if (!decoder.decode(result.hstsStorageDirectoryExtensionHandle))
         return false;
-    
-    if (!decoder.decode(result.enableLegacyTLS))
-        return false;
 
     return true;

trunk/Source/WebKit/NetworkProcess/NetworkProcessCreationParameters.h

@@ -98 +98 @@
     String hstsStorageDirectory;
     SandboxExtension::Handle hstsStorageDirectoryExtensionHandle;
-    bool enableLegacyTLS { false };
 };
 

trunk/Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.cpp

@@ -52 +52 @@
     encoder << httpProxy;
     encoder << httpsProxy;
-    encoder << enableLegacyTLS;
 #endif
 #if USE(SOUP)
@@ -138 +137 @@
     decoder >> httpsProxy;
     if (!httpsProxy)
-        return WTF::nullopt;
-
-    Optional<bool> enableLegacyTLS;
-    decoder >> enableLegacyTLS;
-    if (!enableLegacyTLS)
         return WTF::nullopt;
 #endif
@@ -289 +283 @@
         , WTFMove(*httpProxy)
         , WTFMove(*httpsProxy)
-        , WTFMove(*enableLegacyTLS)
 #endif
 #if USE(SOUP)

trunk/Source/WebKit/NetworkProcess/NetworkSessionCreationParameters.h

@@ -71 +71 @@
     URL httpProxy;
     URL httpsProxy;
-    bool enableLegacyTLS { false };
 #endif
 #if USE(SOUP)

trunk/Source/WebKit/NetworkProcess/PingLoad.cpp

@@ -147 +147 @@
 }
 
-void PingLoad::didReceiveChallenge(AuthenticationChallenge&& challenge, ChallengeCompletionHandler&& completionHandler)
+void PingLoad::didReceiveChallenge(AuthenticationChallenge&& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler)
 {
     RELEASE_LOG_IF_ALLOWED("didReceiveChallenge");
     if (challenge.protectionSpace().authenticationScheme() == ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested) {
-        m_networkLoadChecker->networkProcess().authenticationManager().didReceiveAuthenticationChallenge(m_sessionID, m_parameters.webPageProxyID,  m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, WTFMove(completionHandler));
+        m_networkLoadChecker->networkProcess().authenticationManager().didReceiveAuthenticationChallenge(m_sessionID, m_parameters.webPageProxyID,  m_parameters.topOrigin ? &m_parameters.topOrigin->data() : nullptr, challenge, negotiatedLegacyTLS, WTFMove(completionHandler));
         return;
     }

trunk/Source/WebKit/NetworkProcess/PingLoad.h

@@ -53 +53 @@
 
     void willPerformHTTPRedirection(WebCore::ResourceResponse&&, WebCore::ResourceRequest&&, RedirectCompletionHandler&&) final;
-    void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&) final;
+    void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&) final;
     void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&) final;
     void didReceiveData(Ref<WebCore::SharedBuffer>&&) final;

trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.h

@@ -53 +53 @@
 
     void didSendData(uint64_t totalBytesSent, uint64_t totalBytesExpectedToSend);
-    void didReceiveChallenge(WebCore::AuthenticationChallenge&&, ChallengeCompletionHandler&&);
+    void didReceiveChallenge(WebCore::AuthenticationChallenge&&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&);
     void didCompleteWithError(const WebCore::ResourceError&, const WebCore::NetworkLoadMetrics&);
     void didReceiveResponse(WebCore::ResourceResponse&&, ResponseCompletionHandler&&);

trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm

@@ -53 +53 @@
 #endif
 
-#if __has_include(<WebKitAdditions/NetworkDataTaskCocoaAdditions.h>)
-#include <WebKitAdditions/NetworkDataTaskCocoaAdditions.h>
-#else
-#define NETWORK_DATA_TASK_COCOA_ADDITIONS_1
-#define NETWORK_DATA_TASK_COCOA_ADDITIONS_2
-#endif
-
 #if HAVE(OS_SIGNPOST)
 
@@ -286 +279 @@
 
     m_task = [m_sessionWrapper.session dataTaskWithRequest:nsRequest];
-    
-    NETWORK_DATA_TASK_COCOA_ADDITIONS_1;
 
     BEGIN_SIGNPOST(m_task, "%{public}s pri: %f preconnect: %d", url.string().ascii().data(), toNSURLSessionTaskPriority(request.priority()), shouldPreconnectOnly == PreconnectOnly::Yes);
@@ -349 +340 @@
 }
 
-void NetworkDataTaskCocoa::didReceiveChallenge(WebCore::AuthenticationChallenge&& challenge, ChallengeCompletionHandler&& completionHandler)
+void NetworkDataTaskCocoa::didReceiveChallenge(WebCore::AuthenticationChallenge&& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler)
 {
     EMIT_SIGNPOST(m_task, "received challenge");
@@ -357 +348 @@
 
     if (m_client)
-        m_client->didReceiveChallenge(WTFMove(challenge), WTFMove(completionHandler));
+        m_client->didReceiveChallenge(WTFMove(challenge), negotiatedLegacyTLS, WTFMove(completionHandler));
     else {
         ASSERT_NOT_REACHED();
@@ -461 +452 @@
             if (!request.isNull())
                 restrictRequestReferrerToOriginIfNeeded(request);
-
-            NETWORK_DATA_TASK_COCOA_ADDITIONS_2;
-
             completionHandler(WTFMove(request));
         });

trunk/Source/WebKit/NetworkProcess/cocoa/NetworkProcessCocoa.mm

@@ -71 +71 @@
 void NetworkProcess::platformInitializeNetworkProcessCocoa(const NetworkProcessCreationParameters& parameters)
 {
-    WebCore::SocketStreamHandleImpl::setLegacyTLSEnabled(parameters.enableLegacyTLS);
-
     WebCore::setApplicationBundleIdentifier(parameters.uiProcessBundleIdentifier);
     WebCore::setApplicationSDKVersion(parameters.uiProcessSDKVersion);

trunk/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.h

@@ -46 +46 @@
 namespace WebKit {
 
+enum class NegotiatedLegacyTLS : bool;
 class LegacyCustomProtocolManager;
 class NetworkSessionCocoa;
@@ -79 +80 @@
     static bool allowsSpecificHTTPSCertificateForHost(const WebCore::AuthenticationChallenge&);
 
-    void continueDidReceiveChallenge(SessionWrapper&, const WebCore::AuthenticationChallenge&, NetworkDataTaskCocoa::TaskIdentifier, NetworkDataTaskCocoa*, CompletionHandler<void(WebKit::AuthenticationChallengeDisposition, const WebCore::Credential&)>&&);
+    void continueDidReceiveChallenge(SessionWrapper&, const WebCore::AuthenticationChallenge&, NegotiatedLegacyTLS, NetworkDataTaskCocoa::TaskIdentifier, NetworkDataTaskCocoa*, CompletionHandler<void(WebKit::AuthenticationChallengeDisposition, const WebCore::Credential&)>&&);
 
     SessionWrapper& sessionWrapperForDownloads() { return m_sessionWithCredentialStorage; }

trunk/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm

@@ -597 +597 @@
 
 #if HAVE(CFNETWORK_NSURLSESSION_STRICTRUSTEVALUATE)
-static inline void processServerTrustEvaluation(NetworkSessionCocoa *session, SessionWrapper& sessionWrapper, NSURLAuthenticationChallenge *challenge, NetworkDataTaskCocoa::TaskIdentifier taskIdentifier, NetworkDataTaskCocoa* networkDataTask, CompletionHandler<void(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential)>&& completionHandler)
-{
-    session->continueDidReceiveChallenge(sessionWrapper, challenge, taskIdentifier, networkDataTask, [completionHandler = WTFMove(completionHandler), secTrust = retainPtr(challenge.protectionSpace.serverTrust)] (WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable {
+static inline void processServerTrustEvaluation(NetworkSessionCocoa& session, SessionWrapper& sessionWrapper, NSURLAuthenticationChallenge *challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, NetworkDataTaskCocoa::TaskIdentifier taskIdentifier, NetworkDataTaskCocoa* networkDataTask, CompletionHandler<void(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential *credential)>&& completionHandler)
+{
+    session.continueDidReceiveChallenge(sessionWrapper, challenge, negotiatedLegacyTLS, taskIdentifier, networkDataTask, [completionHandler = WTFMove(completionHandler), secTrust = retainPtr(challenge.protectionSpace.serverTrust)] (WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable {
         // FIXME: UIProcess should send us back non nil credentials but the credential IPC encoder currently only serializes ns credentials for username/password.
         if (disposition == WebKit::AuthenticationChallengeDisposition::UseCredential && !credential.nsCredential()) {
@@ -629 +629 @@
     }
 
+    NegotiatedLegacyTLS negotiatedLegacyTLS = NegotiatedLegacyTLS::No;
+
     if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) {
         if (NetworkSessionCocoa::allowsSpecificHTTPSCertificateForHost(challenge))
             return completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
 
+#if HAVE(TLS_PROTOCOL_VERSION_T)
+        NSURLSessionTaskTransactionMetrics *metrics = task._incompleteTaskMetrics.transactionMetrics.lastObject;
+        auto tlsVersion = (tls_protocol_version_t)metrics.negotiatedTLSProtocolVersion.unsignedShortValue;
+        if (tlsVersion == tls_protocol_version_TLSv10 || tlsVersion == tls_protocol_version_TLSv11)
+            negotiatedLegacyTLS = NegotiatedLegacyTLS::Yes;
+#endif
+        ALLOW_DEPRECATED_DECLARATIONS_BEGIN
+        if (negotiatedLegacyTLS == NegotiatedLegacyTLS::No && [task respondsToSelector:@selector(_TLSNegotiatedProtocolVersion)]) {
+            SSLProtocol tlsVersion = [task _TLSNegotiatedProtocolVersion];
+            if (tlsVersion == kTLSProtocol11 || tlsVersion == kTLSProtocol1)
+                negotiatedLegacyTLS = NegotiatedLegacyTLS::Yes;
+        }
+        ALLOW_DEPRECATED_DECLARATIONS_END
+
         // Handle server trust evaluation at platform-level if requested, for performance reasons and to use ATS defaults.
-        if (sessionCocoa->fastServerTrustEvaluationEnabled()) {
+        if (sessionCocoa->fastServerTrustEvaluationEnabled() && negotiatedLegacyTLS == NegotiatedLegacyTLS::No) {
 #if HAVE(CFNETWORK_NSURLSESSION_STRICTRUSTEVALUATE)
             auto* networkDataTask = [self existingTask:task];
             ASSERT(networkDataTask);
-            auto decisionHandler = makeBlockPtr([weakSelf = WeakObjCPtr<WKNetworkSessionDelegate>(self), sessionCocoa = makeWeakPtr(sessionCocoa), completionHandler = makeBlockPtr(completionHandler), taskIdentifier, networkDataTask = RefPtr<NetworkDataTaskCocoa>(networkDataTask)](NSURLAuthenticationChallenge *challenge, OSStatus trustResult) mutable {
+            auto decisionHandler = makeBlockPtr([weakSelf = WeakObjCPtr<WKNetworkSessionDelegate>(self), sessionCocoa = makeWeakPtr(sessionCocoa), completionHandler = makeBlockPtr(completionHandler), taskIdentifier, networkDataTask = makeRefPtr(networkDataTask), negotiatedLegacyTLS](NSURLAuthenticationChallenge *challenge, OSStatus trustResult) mutable {
                 auto strongSelf = weakSelf.get();
                 if (!strongSelf)
@@ -648 +664 @@
                     return;
                 }
-                processServerTrustEvaluation(session, *strongSelf->_sessionWrapper, challenge, taskIdentifier, task.get(), WTFMove(completionHandler));
+                processServerTrustEvaluation(*session, *strongSelf->_sessionWrapper, challenge, negotiatedLegacyTLS, taskIdentifier, task.get(), WTFMove(completionHandler));
             });
             [NSURLSession _strictTrustEvaluate:challenge queue:[NSOperationQueue mainQueue].underlyingQueue completionHandler:decisionHandler.get()];
@@ -657 +673 @@
         }
     }
-    sessionCocoa->continueDidReceiveChallenge(*_sessionWrapper, challenge, taskIdentifier, [self existingTask:task], [completionHandler = makeBlockPtr(completionHandler)] (WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable {
+    sessionCocoa->continueDidReceiveChallenge(*_sessionWrapper, challenge, negotiatedLegacyTLS, taskIdentifier, [self existingTask:task], [completionHandler = makeBlockPtr(completionHandler)] (WebKit::AuthenticationChallengeDisposition disposition, const WebCore::Credential& credential) mutable {
         completionHandler(toNSURLSessionAuthChallengeDisposition(disposition), credential.nsCredential());
     });
@@ -1019 +1035 @@
 
     NSURLSessionConfiguration *configuration = configurationForSessionID(m_sessionID);
-
-    if (!parameters.enableLegacyTLS) {
-#if HAVE(TLS_PROTOCOL_VERSION_T)
-        configuration.TLSMinimumSupportedProtocolVersion = tls_protocol_version_TLSv12;
-#else
-        configuration.TLSMinimumSupportedProtocol = kTLSProtocol12;
-#endif
-    }
 
 #if HAVE(APP_SSO)
@@ -1298 +1306 @@
 }
 
-void NetworkSessionCocoa::continueDidReceiveChallenge(SessionWrapper& sessionWrapper, const WebCore::AuthenticationChallenge& challenge, NetworkDataTaskCocoa::TaskIdentifier taskIdentifier, NetworkDataTaskCocoa* networkDataTask, CompletionHandler<void(WebKit::AuthenticationChallengeDisposition, const WebCore::Credential&)>&& completionHandler)
+void NetworkSessionCocoa::continueDidReceiveChallenge(SessionWrapper& sessionWrapper, const WebCore::AuthenticationChallenge& challenge, NegotiatedLegacyTLS negotiatedLegacyTLS, NetworkDataTaskCocoa::TaskIdentifier taskIdentifier, NetworkDataTaskCocoa* networkDataTask, CompletionHandler<void(WebKit::AuthenticationChallengeDisposition, const WebCore::Credential&)>&& completionHandler)
 {
     if (!networkDataTask) {
@@ -1350 +1358 @@
         completionHandler(disposition, credential);
     };
-    networkDataTask->didReceiveChallenge(WTFMove(authenticationChallenge), WTFMove(challengeCompletionHandler));
+    networkDataTask->didReceiveChallenge(WTFMove(authenticationChallenge), negotiatedLegacyTLS, WTFMove(challengeCompletionHandler));
 }
 

trunk/Source/WebKit/NetworkProcess/curl/NetworkDataTaskCurl.cpp

@@ -355 +355 @@
     }
 
-    m_client->didReceiveChallenge(AuthenticationChallenge(challenge), [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
+    m_client->didReceiveChallenge(AuthenticationChallenge(challenge), NegotiatedLegacyTLS::No, [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
         if (m_state == State::Canceling || m_state == State::Completed)
             return;
@@ -381 +381 @@
 void NetworkDataTaskCurl::tryProxyAuthentication(WebCore::AuthenticationChallenge&& challenge)
 {
-    m_client->didReceiveChallenge(AuthenticationChallenge(challenge), [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
+    m_client->didReceiveChallenge(AuthenticationChallenge(challenge), NegotiatedLegacyTLS::No, [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
         if (m_state == State::Canceling || m_state == State::Completed)
             return;
@@ -406 +406 @@
 void NetworkDataTaskCurl::tryServerTrustEvaluation(AuthenticationChallenge&& challenge)
 {
-    m_client->didReceiveChallenge(AuthenticationChallenge(challenge), [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
+    m_client->didReceiveChallenge(AuthenticationChallenge(challenge), NegotiatedLegacyTLS::No, [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
         if (m_state == State::Canceling || m_state == State::Completed)
             return;

trunk/Source/WebKit/NetworkProcess/soup/NetworkDataTaskSoup.cpp

@@ -532 +532 @@
 void NetworkDataTaskSoup::continueAuthenticate(AuthenticationChallenge&& challenge)
 {
-    m_client->didReceiveChallenge(AuthenticationChallenge(challenge), [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
+    m_client->didReceiveChallenge(AuthenticationChallenge(challenge), NegotiatedLegacyTLS::No, [this, protectedThis = makeRef(*this), challenge](AuthenticationChallengeDisposition disposition, const Credential& credential) {
         if (m_state == State::Canceling || m_state == State::Completed) {
             clearRequest();

trunk/Source/WebKit/Shared/Authentication/AuthenticationManager.cpp

@@ -110 +110 @@
 }
 
-void AuthenticationManager::didReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebPageProxyIdentifier pageID, const SecurityOriginData* topOrigin, const AuthenticationChallenge& authenticationChallenge, ChallengeCompletionHandler&& completionHandler)
+void AuthenticationManager::didReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebPageProxyIdentifier pageID, const SecurityOriginData* topOrigin, const AuthenticationChallenge& authenticationChallenge, NegotiatedLegacyTLS negotiatedLegacyTLS, ChallengeCompletionHandler&& completionHandler)
 {
     if (!pageID)
@@ -124 +124 @@
     if (topOrigin)
         topOriginData = *topOrigin;
-    m_process.send(Messages::NetworkProcessProxy::DidReceiveAuthenticationChallenge(sessionID, pageID, topOriginData, authenticationChallenge, challengeID));
+    m_process.send(Messages::NetworkProcessProxy::DidReceiveAuthenticationChallenge(sessionID, pageID, topOriginData, authenticationChallenge, negotiatedLegacyTLS == NegotiatedLegacyTLS::Yes, challengeID));
 }
 

trunk/Source/WebKit/Shared/Authentication/AuthenticationManager.h

@@ -58 +58 @@
 class NetworkProcess;
 class WebFrame;
+enum class NegotiatedLegacyTLS : bool { No, Yes };
 
 enum class AuthenticationChallengeDisposition : uint8_t;
@@ -70 +71 @@
     static const char* supplementName();
 
-    void didReceiveAuthenticationChallenge(PAL::SessionID, WebPageProxyIdentifier, const WebCore::SecurityOriginData* , const WebCore::AuthenticationChallenge&, ChallengeCompletionHandler&&);
+    void didReceiveAuthenticationChallenge(PAL::SessionID, WebPageProxyIdentifier, const WebCore::SecurityOriginData* , const WebCore::AuthenticationChallenge&, NegotiatedLegacyTLS, ChallengeCompletionHandler&&);
     void didReceiveAuthenticationChallenge(IPC::MessageSender& download, const WebCore::AuthenticationChallenge&, ChallengeCompletionHandler&&);
 

trunk/Source/WebKit/UIProcess/API/APINavigationClient.h

@@ -97 +97 @@
 
     virtual void didReceiveAuthenticationChallenge(WebKit::WebPageProxy&, WebKit::AuthenticationChallengeProxy& challenge) { challenge.listener().completeChallenge(WebKit::AuthenticationChallengeDisposition::PerformDefaultHandling); }
+    virtual void shouldAllowLegacyTLS(WebKit::WebPageProxy&, WebKit::AuthenticationChallengeProxy&, CompletionHandler<void(bool)>&& completionHandler) { completionHandler(true); }
     virtual bool shouldBypassContentModeSafeguards() const { return false; }
 

trunk/Source/WebKit/UIProcess/API/Cocoa/WKNavigationDelegatePrivate.h

@@ -87 +87 @@
 - (NSData *)_webCryptoMasterKeyForWebView:(WKWebView *)webView;
 
+- (void)_webView:(WKWebView *)webView authenticationChallenge:(NSURLAuthenticationChallenge *)challenge shouldAllowLegacyTLS:(void (^)(BOOL))completionHandler WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+
 - (void)_webViewDidBeginNavigationGesture:(WKWebView *)webView;
 // Item is nil if the gesture ended without navigation.

trunk/Source/WebKit/UIProcess/Cocoa/NavigationState.h

@@ -113 +113 @@
 
         void didReceiveAuthenticationChallenge(WebPageProxy&, AuthenticationChallengeProxy&) override;
+        void shouldAllowLegacyTLS(WebPageProxy&, AuthenticationChallengeProxy&, CompletionHandler<void(bool)>&&) final;
         bool processDidTerminate(WebPageProxy&, ProcessTerminationReason) override;
         void processDidBecomeResponsive(WebPageProxy&) override;
@@ -216 +217 @@
         bool webViewRenderingProgressDidChange : 1;
         bool webViewDidReceiveAuthenticationChallengeCompletionHandler : 1;
+        bool webViewAuthenticationChallengeShouldAllowLegacyTLS : 1;
         bool webViewWebContentProcessDidTerminate : 1;
         bool webViewWebContentProcessDidTerminateWithReason : 1;

trunk/Source/WebKit/UIProcess/Cocoa/NavigationState.mm

@@ -80 +80 @@
 #import <wtf/URL.h>
 
+#if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST)
+#import <pal/ios/ManagedConfigurationSoftLink.h>
+#import <pal/spi/ios/ManagedConfigurationSPI.h>
+#endif
+
 #if HAVE(APP_LINKS)
 #import <pal/spi/cocoa/LaunchServicesSPI.h>
@@ -167 +172 @@
     m_navigationDelegateMethods.webViewRenderingProgressDidChange = [delegate respondsToSelector:@selector(_webView:renderingProgressDidChange:)];
     m_navigationDelegateMethods.webViewDidReceiveAuthenticationChallengeCompletionHandler = [delegate respondsToSelector:@selector(webView:didReceiveAuthenticationChallenge:completionHandler:)];
+    m_navigationDelegateMethods.webViewAuthenticationChallengeShouldAllowLegacyTLS = [delegate respondsToSelector:@selector(_webView:authenticationChallenge:shouldAllowLegacyTLS:)];
     m_navigationDelegateMethods.webViewWebContentProcessDidTerminate = [delegate respondsToSelector:@selector(webViewWebContentProcessDidTerminate:)];
     m_navigationDelegateMethods.webViewWebContentProcessDidTerminateWithReason = [delegate respondsToSelector:@selector(_webView:webContentProcessDidTerminateWithReason:)];
@@ -974 +980 @@
 }
 
+static bool systemAllowsLegacyTLSFor(WebPageProxy& page)
+{
+    bool enableLegacyTLS = page.websiteDataStore().configuration().legacyTLSEnabled();
+    if (id value = [[NSUserDefaults standardUserDefaults] objectForKey:@"WebKitEnableLegacyTLS"])
+        enableLegacyTLS = [value boolValue];
+    if (!enableLegacyTLS) {
+#if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST)
+        enableLegacyTLS = [[PAL::getMCProfileConnectionClass() sharedConnection] effectiveBoolValueForSetting:@"allowDeprecatedWebKitTLS"] == MCRestrictedBoolExplicitYes;
+#elif PLATFORM(MAC)
+        enableLegacyTLS = CFPreferencesGetAppBooleanValue(CFSTR("allowDeprecatedWebKitTLS"), CFSTR("com.apple.applicationaccess"), nullptr);
+#endif
+    }
+    return enableLegacyTLS;
+}
+
+void NavigationState::NavigationClient::shouldAllowLegacyTLS(WebPageProxy& page, AuthenticationChallengeProxy& authenticationChallenge, CompletionHandler<void(bool)>&& completionHandler)
+{
+    if (!m_navigationState.m_navigationDelegateMethods.webViewAuthenticationChallengeShouldAllowLegacyTLS)
+        return completionHandler(systemAllowsLegacyTLSFor(page));
+
+    auto navigationDelegate = m_navigationState.m_navigationDelegate.get();
+    if (!navigationDelegate)
+        return completionHandler(systemAllowsLegacyTLSFor(page));
+
+    auto checker = CompletionHandlerCallChecker::create(navigationDelegate.get(), @selector(_webView:authenticationChallenge:shouldAllowLegacyTLS:));
+    [static_cast<id <WKNavigationDelegatePrivate>>(navigationDelegate.get()) _webView:m_navigationState.m_webView authenticationChallenge:wrapper(authenticationChallenge) shouldAllowLegacyTLS:makeBlockPtr([checker = WTFMove(checker), completionHandler = WTFMove(completionHandler)](BOOL shouldAllow) mutable {
+        if (checker->completionHandlerHasBeenCalled())
+            return;
+        checker->didCallCompletionHandler();
+        completionHandler(shouldAllow);
+    }).get()];
+}
+
 static _WKProcessTerminationReason wkProcessTerminationReason(ProcessTerminationReason reason)
 {

trunk/Source/WebKit/UIProcess/Cocoa/WebProcessPoolCocoa.mm

@@ -385 +385 @@
     }
 
-    parameters.enableLegacyTLS = false;
-    if (id value = [defaults objectForKey:@"WebKitEnableLegacyTLS"])
-        parameters.enableLegacyTLS = [value boolValue];
-    if (!parameters.enableLegacyTLS) {
-#if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST)
-        parameters.enableLegacyTLS = [[PAL::getMCProfileConnectionClass() sharedConnection] effectiveBoolValueForSetting:@"allowDeprecatedWebKitTLS"] == MCRestrictedBoolExplicitYes;
-#elif PLATFORM(MAC)
-        parameters.enableLegacyTLS = CFPreferencesGetAppBooleanValue(CFSTR("allowDeprecatedWebKitTLS"), CFSTR("com.apple.applicationaccess"), nullptr);
-#endif
-    }
-    parameters.defaultDataStoreParameters.networkSessionParameters.enableLegacyTLS = parameters.enableLegacyTLS;
-
     parameters.networkATSContext = adoptCF(_CFNetworkCopyATSContext());
 

trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp

@@ -29 +29 @@
 #include "APIContentRuleList.h"
 #include "AuthenticationChallengeProxy.h"
+#include "AuthenticationManager.h"
 #include "DownloadProxyMap.h"
 #include "DownloadProxyMessages.h"
@@ -327 +328 @@
 }
 
-void NetworkProcessProxy::didReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebPageProxyIdentifier pageID, const Optional<SecurityOriginData>& topOrigin, WebCore::AuthenticationChallenge&& coreChallenge, uint64_t challengeID)
+void NetworkProcessProxy::didReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebPageProxyIdentifier pageID, const Optional<SecurityOriginData>& topOrigin, WebCore::AuthenticationChallenge&& coreChallenge, bool negotiatedLegacyTLS, uint64_t challengeID)
 {
 #if HAVE(SEC_KEY_PROXY)
@@ -348 +349 @@
 
     if (page) {
-        page->didReceiveAuthenticationChallengeProxy(WTFMove(authenticationChallenge));
+        page->didReceiveAuthenticationChallengeProxy(WTFMove(authenticationChallenge), negotiatedLegacyTLS ? NegotiatedLegacyTLS::Yes : NegotiatedLegacyTLS::No);
         return;
     }
@@ -357 +358 @@
     }
 
-    WebPageProxy::forMostVisibleWebPageIfAny(sessionID, *topOrigin, [this, weakThis = makeWeakPtr(this), sessionID, authenticationChallenge = WTFMove(authenticationChallenge)](auto* page) mutable {
+    WebPageProxy::forMostVisibleWebPageIfAny(sessionID, *topOrigin, [this, weakThis = makeWeakPtr(this), sessionID, authenticationChallenge = WTFMove(authenticationChallenge), negotiatedLegacyTLS](auto* page) mutable {
         if (!weakThis)
             return;
 
         if (page) {
-            page->didReceiveAuthenticationChallengeProxy(WTFMove(authenticationChallenge));
+            page->didReceiveAuthenticationChallengeProxy(WTFMove(authenticationChallenge), negotiatedLegacyTLS ? NegotiatedLegacyTLS::Yes : NegotiatedLegacyTLS::No);
             return;
         }

trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.h

@@ -236 +236 @@
     // Message handlers
     void didReceiveNetworkProcessProxyMessage(IPC::Connection&, IPC::Decoder&);
-    void didReceiveAuthenticationChallenge(PAL::SessionID, WebPageProxyIdentifier, const Optional<WebCore::SecurityOriginData>&, WebCore::AuthenticationChallenge&&, uint64_t challengeID);
+    void didReceiveAuthenticationChallenge(PAL::SessionID, WebPageProxyIdentifier, const Optional<WebCore::SecurityOriginData>&, WebCore::AuthenticationChallenge&&, bool, uint64_t challengeID);
     void didFetchWebsiteData(uint64_t callbackID, const WebsiteData&);
     void didDeleteWebsiteData(uint64_t callbackID);

trunk/Source/WebKit/UIProcess/Network/NetworkProcessProxy.messages.in

@@ -22 +22 @@
 
 messages -> NetworkProcessProxy LegacyReceiver NotRefCounted {
-    DidReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebKit::WebPageProxyIdentifier pageID, Optional<WebCore::SecurityOriginData> topOrigin, WebCore::AuthenticationChallenge challenge, uint64_t challengeID)
+    DidReceiveAuthenticationChallenge(PAL::SessionID sessionID, WebKit::WebPageProxyIdentifier pageID, Optional<WebCore::SecurityOriginData> topOrigin, WebCore::AuthenticationChallenge challenge, bool negotiatedLegacyTLS, uint64_t challengeID)
 
     DidFetchWebsiteData(uint64_t callbackID, struct WebKit::WebsiteData websiteData)

trunk/Source/WebKit/UIProcess/WebPageProxy.cpp

@@ -57 +57 @@
 #include "AuthenticationChallengeProxy.h"
 #include "AuthenticationDecisionListener.h"
+#include "AuthenticationManager.h"
 #include "AuthenticatorManager.h"
 #include "DataReference.h"
@@ -7707 +7708 @@
 #endif
 
-void WebPageProxy::didReceiveAuthenticationChallengeProxy(Ref<AuthenticationChallengeProxy>&& authenticationChallenge)
-{
+void WebPageProxy::didReceiveAuthenticationChallengeProxy(Ref<AuthenticationChallengeProxy>&& authenticationChallenge, NegotiatedLegacyTLS negotiatedLegacyTLS)
+{
+    if (negotiatedLegacyTLS == NegotiatedLegacyTLS::Yes) {
+        m_navigationClient->shouldAllowLegacyTLS(*this, authenticationChallenge.get(), [this, protectedThis = makeRef(*this), authenticationChallenge = authenticationChallenge.copyRef()] (bool shouldAllowLegacyTLS) {
+            if (shouldAllowLegacyTLS)
+                m_navigationClient->didReceiveAuthenticationChallenge(*this, authenticationChallenge.get());
+            else
+                authenticationChallenge->listener().completeChallenge(AuthenticationChallengeDisposition::Cancel);
+        });
+        return;
+    }
     m_navigationClient->didReceiveAuthenticationChallenge(*this, authenticationChallenge.get());
 }

trunk/Source/WebKit/UIProcess/WebPageProxy.h

@@ -338 +338 @@
 struct UserMessage;
 
+enum class NegotiatedLegacyTLS : bool;
 enum class ProcessSwapRequestedByClient;
 enum class UndoOrRedo : bool;
@@ -1334 +1335 @@
     WebCore::IntSize viewportSizeForCSSViewportUnits() const { return m_viewportSizeForCSSViewportUnits.valueOr(WebCore::IntSize()); }
 
-    void didReceiveAuthenticationChallengeProxy(Ref<AuthenticationChallengeProxy>&&);
+    void didReceiveAuthenticationChallengeProxy(Ref<AuthenticationChallengeProxy>&&, NegotiatedLegacyTLS);
 
     SpellDocumentTag spellDocumentTag();

trunk/Source/WebKit/UIProcess/WebsiteData/Cocoa/WebsiteDataStoreCocoa.mm

@@ -86 +86 @@
     bool enableResourceLoadStatisticsDebugMode = false;
     auto firstPartyWebsiteDataRemovalMode = WebCore::FirstPartyWebsiteDataRemovalMode::AllButCookies;
-    bool enableLegacyTLS = configuration().legacyTLSEnabled();
-    if (id value = [defaults objectForKey:@"WebKitEnableLegacyTLS"])
-        enableLegacyTLS = [value boolValue];
-    if (!enableLegacyTLS) {
-#if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST)
-        enableLegacyTLS = [[PAL::getMCProfileConnectionClass() sharedConnection] effectiveBoolValueForSetting:@"allowDeprecatedWebKitTLS"] == MCRestrictedBoolExplicitYes;
-#elif PLATFORM(MAC)
-        enableLegacyTLS = CFPreferencesGetAppBooleanValue(CFSTR("allowDeprecatedWebKitTLS"), CFSTR("com.apple.applicationaccess"), nullptr);
-#endif
-    }
     WebCore::RegistrableDomain resourceLoadStatisticsManualPrevalentResource { };
 #if ENABLE(RESOURCE_LOAD_STATISTICS)
@@ -165 +155 @@
         WTFMove(httpProxy),
         WTFMove(httpsProxy),
-        enableLegacyTLS,
         WTFMove(resourceLoadStatisticsDirectory),
         WTFMove(resourceLoadStatisticsDirectoryHandle),

trunk/Source/WebKit/UIProcess/WebsiteData/WebsiteDataStoreConfiguration.h

@@ -185 +185 @@
     bool m_allLoadsBlockedByDeviceManagementRestrictionsForTesting { false };
     bool m_allowsCellularAccess { true };
-    bool m_legacyTLSEnabled { false };
+    bool m_legacyTLSEnabled { true };
     bool m_fastServerTrustEvaluationEnabled { false };
     bool m_serviceWorkerProcessTerminationDelayEnabled { true };

trunk/Source/WebKitLegacy/mac/ChangeLog

@@ +1 @@
+2020-01-30  Alex Christensen  <achristensen@webkit.org>
+
+        Add WKNavigationDelegate SPI to disable TLS 1.0 and 1.1
+        https://bugs.webkit.org/show_bug.cgi?id=206979
+
+        Reviewed by Brady Eidson.
+
+        * WebView/WebView.mm:
+        (-[WebView _commonInitializationWithFrameName:groupName:]):
+
 2020-01-29  Tim Horton  <timothy_horton@apple.com>
 

trunk/Source/WebKitLegacy/mac/WebView/WebView.mm

@@ -1422 +1422 @@
             WebCore::DeprecatedGlobalSettings::setShouldManageAudioSessionCategory(true);
 #endif
-
-        bool enableLegacyTLS = false;
-        if (id value = [[NSUserDefaults standardUserDefaults] objectForKey:@"WebKitEnableLegacyTLS"])
-            enableLegacyTLS = [value boolValue];
-        if (!enableLegacyTLS) {
-#if PLATFORM(IOS_FAMILY) && !PLATFORM(MACCATALYST)
-            enableLegacyTLS = [[PAL::getMCProfileConnectionClass() sharedConnection] effectiveBoolValueForSetting:@"allowDeprecatedWebKitTLS"] == MCRestrictedBoolExplicitYes;
-#elif PLATFORM(MAC)
-            enableLegacyTLS = CFPreferencesGetAppBooleanValue(CFSTR("allowDeprecatedWebKitTLS"), CFSTR("com.apple.applicationaccess"), nullptr);
-#endif
-        }
-        WebCore::SocketStreamHandleImpl::setLegacyTLSEnabled(enableLegacyTLS);
-
         didOneTimeInitialization = true;
     }

trunk/Tools/ChangeLog

@@ +1 @@
+2020-01-30  Alex Christensen  <achristensen@webkit.org>
+
+        Add WKNavigationDelegate SPI to disable TLS 1.0 and 1.1
+        https://bugs.webkit.org/show_bug.cgi?id=206979
+
+        Reviewed by Brady Eidson.
+
+        * MiniBrowser/mac/SettingsController.m:
+        * TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm:
+        (-[TLSNavigationDelegate waitForDidFinishNavigation]):
+        (-[TLSNavigationDelegate waitForDidFailProvisionalNavigation]):
+        (-[TLSNavigationDelegate receivedShouldAllowLegacyTLS]):
+        (-[TLSNavigationDelegate webView:didReceiveAuthenticationChallenge:completionHandler:]):
+        (-[TLSNavigationDelegate webView:didFinishNavigation:]):
+        (-[TLSNavigationDelegate webView:didFailProvisionalNavigation:withError:]):
+        (-[TLSNavigationDelegate _webView:authenticationChallenge:shouldAllowLegacyTLS:]):
+        (TestWebKitAPI::TEST):
+
 2020-01-30  Jonathan Bedard  <jbedard@apple.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/TLSDeprecation.mm

@@ -44 +44 @@
 #endif
 
-@interface WebSocketDelegate : NSObject <WKUIDelegate, WebUIDelegate>
-- (NSString *)waitForMessage;
+@interface TLSNavigationDelegate : NSObject <WKNavigationDelegate>
+- (void)waitForDidFinishNavigation;
+- (void)waitForDidFailProvisionalNavigation;
+- (bool)receivedShouldAllowLegacyTLS;
+@property (nonatomic) bool shouldAllowLegacyTLS;
 @end
 
-@implementation WebSocketDelegate {
-    RetainPtr<NSString> _message;
-}
-
-- (NSString *)waitForMessage
-{
-    while (!_message)
+@implementation TLSNavigationDelegate {
+    bool _navigationFinished;
+    bool _navigationFailed;
+    bool _receivedShouldAllowLegacyTLS;
+}
+
+- (void)waitForDidFinishNavigation
+{
+    while (!_navigationFinished)
         TestWebKitAPI::Util::spinRunLoop();
-    return _message.autorelease();
-}
-
-- (void)webView:(WKWebView *)webView runJavaScriptAlertPanelWithMessage:(NSString *)message initiatedByFrame:(WKFrameInfo *)frame completionHandler:(void (^)(void))completionHandler
-{
-    _message = message;
-    completionHandler();
-}
-
-- (void)webView:(WebView *)sender runJavaScriptAlertPanelWithMessage:(NSString *)message initiatedByFrame:(WebFrame *)frame
-{
-    _message = message;
+}
+
+- (void)waitForDidFailProvisionalNavigation
+{
+    while (!_navigationFailed)
+        TestWebKitAPI::Util::spinRunLoop();
+}
+
+- (bool)receivedShouldAllowLegacyTLS
+{
+    return _receivedShouldAllowLegacyTLS;
+}
+
+- (void)webView:(WKWebView *)webView didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * credential))completionHandler
+{
+    EXPECT_WK_STREQ(challenge.protectionSpace.authenticationMethod, NSURLAuthenticationMethodServerTrust);
+    completionHandler(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
+}
+
+- (void)webView:(WKWebView *)webView didFinishNavigation:(WKNavigation *)navigation
+{
+    _navigationFinished = true;
+}
+
+- (void)webView:(WKWebView *)webView didFailProvisionalNavigation:(WKNavigation *)navigation withError:(NSError *)error
+{
+    _navigationFailed = true;
+}
+
+- (void)_webView:(WKWebView *)webView authenticationChallenge:(NSURLAuthenticationChallenge *)challenge shouldAllowLegacyTLS:(void (^)(BOOL))completionHandler
+{
+    _receivedShouldAllowLegacyTLS = true;
+    completionHandler([self shouldAllowLegacyTLS]);
 }
 
 @end
+
 
 namespace TestWebKitAPI {
@@ -77 +104 @@
 static NSString *defaultsKey = @"WebKitEnableLegacyTLS";
 
-TEST(WebKit, TLSVersionWebSocket)
-{
-    auto getWebSocketEvent = [] (bool clientAllowDeprecatedTLS, bool serverLimitTLS) {
-        Optional<uint16_t> maxServerTLSVersion;
-        if (serverLimitTLS)
-            maxServerTLSVersion = tls1_1;
-        TCPServer server(TCPServer::Protocol::HTTPS, [=](SSL *ssl) {
-            EXPECT_TRUE(!ssl == (clientAllowDeprecatedTLS != serverLimitTLS));
-        }, maxServerTLSVersion);
-
-        if (clientAllowDeprecatedTLS)
-            [[NSUserDefaults standardUserDefaults] setBool:YES forKey:defaultsKey];
-        
-        auto webView = adoptNS([TestWKWebView new]);
-        auto delegate = adoptNS([WebSocketDelegate new]);
-        [webView setUIDelegate:delegate.get()];
-        [webView synchronouslyLoadHTMLString:@"start network process"];
-        [[webView configuration].processPool _allowAnyTLSCertificateForWebSocketTesting];
-        [webView synchronouslyLoadHTMLString:[NSString stringWithFormat:
-            @"<script>"
-            "const socket = new WebSocket('wss://localhost:%d');"
-            "socket.onclose = function(event){ alert('close'); };"
-            "socket.onerror = function(event){ alert('error: ' + event.data); };"
-            "</script>", server.port()]];
-        NSString *message = [delegate waitForMessage];
-        
-        if (clientAllowDeprecatedTLS)
-            [[NSUserDefaults standardUserDefaults] removeObjectForKey:defaultsKey];
-
-        return message;
-    };
-
-    EXPECT_WK_STREQ(getWebSocketEvent(true, true), "close");
-    NSString *message = getWebSocketEvent(false, true);
-    EXPECT_TRUE([message isEqualToString:@"error: undefined"] || [message isEqualToString:@"close"]);
-    EXPECT_WK_STREQ(getWebSocketEvent(false, false), "close");
-}
-
-NSString *getWebSocketEventWebKitLegacy(bool clientAllowDeprecatedTLS, bool serverLimitTLS)
-{
-#if PLATFORM(IOS_FAMILY)
-    WebKitInitialize();
-    WebThreadLock();
-#endif
-    Optional<uint16_t> maxServerTLSVersion;
-    if (serverLimitTLS)
-        maxServerTLSVersion = tls1_1;
-    TCPServer server(TCPServer::Protocol::HTTPS, [=](SSL *ssl) {
-        EXPECT_TRUE(!ssl == (clientAllowDeprecatedTLS != serverLimitTLS));
-    }, maxServerTLSVersion);
-
-    if (clientAllowDeprecatedTLS)
-        [[NSUserDefaults standardUserDefaults] setBool:YES forKey:defaultsKey];
-    
-    auto webView = adoptNS([WebView new]);
-    auto delegate = adoptNS([WebSocketDelegate new]);
-    [webView setUIDelegate:delegate.get()];
-    WebCoreTestSupport::setAllowsAnySSLCertificate(true);
-    [[webView mainFrame] loadHTMLString:[NSString stringWithFormat:
-        @"<script>"
-        "const socket = new WebSocket('wss://localhost:%d');"
-        "socket.onclose = function(event){ alert('close'); };"
-        "socket.onerror = function(event){ alert('error: ' + event.data); };"
-        "</script>", server.port()] baseURL:nil];
-    NSString *message = [delegate waitForMessage];
-
-    if (clientAllowDeprecatedTLS)
-        [[NSUserDefaults standardUserDefaults] removeObjectForKey:defaultsKey];
-
-    return message;
-}
-
-TEST(WebKit, TLSVersionWebSocketWebKitLegacy1)
-{
-    EXPECT_WK_STREQ(getWebSocketEventWebKitLegacy(true, true), "close");
-}
-
-TEST(WebKit, TLSVersionWebSocketWebKitLegacy2)
-{
-#if PLATFORM(IOS_FAMILY)
-    const char* expected = "error: undefined";
-#else
-    const char* expected = "close";
-#endif
-    EXPECT_WK_STREQ(getWebSocketEventWebKitLegacy(false, true), expected);
-}
-
-TEST(WebKit, TLSVersionWebSocketWebKitLegacy3)
-{
-    EXPECT_WK_STREQ(getWebSocketEventWebKitLegacy(false, false), "close");
-}
-
-TEST(WebKit, TLSVersionNetworkSession)
+TEST(TLSVersion, DefaultBehavior)
+{
+    TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1);
+    auto delegate = adoptNS([TestNavigationDelegate new]);
+    auto webView = adoptNS([WKWebView new]);
+    [webView setNavigationDelegate:delegate.get()];
+    [delegate setDidReceiveAuthenticationChallenge:^(WKWebView *, NSURLAuthenticationChallenge *challenge, void (^callback)(NSURLSessionAuthChallengeDisposition, NSURLCredential *)) {
+        EXPECT_WK_STREQ(challenge.protectionSpace.authenticationMethod, NSURLAuthenticationMethodServerTrust);
+        callback(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
+    }];
+    [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
+    [delegate waitForDidFinishNavigation];
+}
+
+// FIXME: This test should remain disabled until rdar://problem/56522601 is fixed.
+TEST(TLSVersion, DISABLED_NetworkSession)
 {
     static auto delegate = adoptNS([TestNavigationDelegate new]);
@@ -178 +128 @@
         [webView setNavigationDelegate:delegate.get()];
         [delegate setDidReceiveAuthenticationChallenge:^(WKWebView *, NSURLAuthenticationChallenge *challenge, void (^callback)(NSURLSessionAuthChallengeDisposition, NSURLCredential *)) {
+            EXPECT_WK_STREQ(challenge.protectionSpace.authenticationMethod, NSURLAuthenticationMethodServerTrust);
             callback(NSURLSessionAuthChallengeUseCredential, [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]);
         }];
@@ -183 +134 @@
     };
     {
-        TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) {
-            EXPECT_FALSE(ssl);
-        }, tls1_1);
+        TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1);
         auto webView = makeWebViewWith([WKWebsiteDataStore defaultDataStore]);
         [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
-        [delegate waitForDidFailProvisionalNavigation];
-    }
-    {
-        TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) {
-            EXPECT_FALSE(ssl);
-        }, tls1_1);
+        [delegate waitForDidFinishNavigation];
+    }
+    {
+        TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1);
         auto webView = makeWebViewWith([WKWebsiteDataStore nonPersistentDataStore]);
         [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
-        [delegate waitForDidFailProvisionalNavigation];
-    }
-    {
-        TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1);
+        [delegate waitForDidFinishNavigation];
+    }
+    {
+        TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) {
+            EXPECT_FALSE(ssl);
+        }, tls1_1);
         auto configuration = adoptNS([[_WKWebsiteDataStoreConfiguration alloc] initNonPersistentConfiguration]);
-        [configuration setLegacyTLSEnabled:YES];
+        [configuration setLegacyTLSEnabled:NO];
         auto dataStore = adoptNS([[WKWebsiteDataStore alloc] _initWithConfiguration:configuration.get()]);
         auto webView = makeWebViewWith(dataStore.get());
         [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
+        [delegate waitForDidFailProvisionalNavigation];
+    }
+    [[NSUserDefaults standardUserDefaults] setBool:NO forKey:defaultsKey];
+    {
+        TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) {
+            EXPECT_FALSE(ssl);
+        }, tls1_1);
+        auto webView = makeWebViewWith([WKWebsiteDataStore defaultDataStore]);
+        [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
+        [delegate waitForDidFailProvisionalNavigation];
+    }
+    {
+        TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) {
+            EXPECT_FALSE(ssl);
+        }, tls1_1);
+        auto webView = makeWebViewWith([WKWebsiteDataStore nonPersistentDataStore]);
+        [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
+        [delegate waitForDidFailProvisionalNavigation];
+    }
+    [[NSUserDefaults standardUserDefaults] removeObjectForKey:defaultsKey];
+}
+
+// FIXME: This test should remain disabled until rdar://problem/56522601 is fixed.
+TEST(TLSVersion, DISABLED_NavigationDelegateSPI)
+{
+    {
+        auto delegate = adoptNS([TLSNavigationDelegate new]);
+        TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) {
+            // FIXME: This is only if we have the new SPI.
+            EXPECT_FALSE(ssl);
+        }, tls1_1);
+        auto webView = adoptNS([WKWebView new]);
+        [webView setNavigationDelegate:delegate.get()];
+        [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
+        [delegate waitForDidFailProvisionalNavigation];
+        EXPECT_TRUE([delegate receivedShouldAllowLegacyTLS]);
+    }
+    {
+        auto delegate = adoptNS([TLSNavigationDelegate new]);
+        delegate.get().shouldAllowLegacyTLS = YES;
+        TCPServer server(TCPServer::Protocol::HTTPS, TCPServer::respondWithOK, tls1_1);
+        auto webView = adoptNS([WKWebView new]);
+        [webView setNavigationDelegate:delegate.get()];
+        [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
         [delegate waitForDidFinishNavigation];
-    }
-    [[NSUserDefaults standardUserDefaults] setBool:YES forKey:defaultsKey];
-    {
-        TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) {
-            TCPServer::respondWithOK(ssl);
-        }, tls1_1);
-        auto webView = makeWebViewWith([WKWebsiteDataStore defaultDataStore]);
-        [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
-        [delegate waitForDidFinishNavigation];
-    }
-    {
-        TCPServer server(TCPServer::Protocol::HTTPS, [](SSL *ssl) {
-            TCPServer::respondWithOK(ssl);
-        }, tls1_1);
-        auto webView = makeWebViewWith([WKWebsiteDataStore nonPersistentDataStore]);
-        [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:[NSString stringWithFormat:@"https://127.0.0.1:%d/", server.port()]]]];
-        [delegate waitForDidFinishNavigation];
-    }
-    [[NSUserDefaults standardUserDefaults] removeObjectForKey:defaultsKey];
-}
+        EXPECT_TRUE([delegate receivedShouldAllowLegacyTLS]);
+    }
+}
+
+// FIXME: Add some tests for WKWebView.hasOnlySecureContent
 
 }