pmusolino
commented
3 years ago Thank you @percivalwcy for this great contribution! Can you explain how I can test it?
Closed percivalwcy closed 3 years ago
pmusolino
commented
3 years ago Thank you @percivalwcy for this great contribution! Can you explain how I can test it?
percivalwcy
commented
3 years ago @pmusolino to test it, it would be simply creating a project with URLSession, and implementing the URLSessionDataDelegate protocol. In particular, implementing the urlSession:didReceive:completion function. Perhaps just return a .cancelAuthenticationChallenge in the completionHandler? That would just reject every network call. Then importing the existing Wormholy version would load the URL since it's returning .useCredential. Then swap with this branch of Wormholy version - the URL should not load since it should respect the importing app's urlSession:didReceive:completion logic.
Modify the urlSession delegate for didReceive challenge to be more of an "observer", rather than returning a disposition of
.useCredentials. If there are existing SSL Pinning code, this change will honour it by passing along the completionHandler from the sender's challenge to any custom authentication challenge handling code implemented.The sender in the challenge does not implement some functions (potentially an Apple bug). Therefore, we need to create a custom sender that implements those functions. We then need to wrap it up in a new authentication challenge, and notify the client.
fixes #62