fix(browser): gate certificate proceed on runtime capability; dedupe cert-error helpers#9070
Conversation
📝 WalkthroughWalkthroughAdds scoped local HTTPS certificate approval with in-memory challenge and grant tracking, certificate identity hashing, request isolation, navigation invalidation, and typed IPC/runtime approval paths. Browser failure metadata now flows through main process, preload, runtime synchronization, and renderer state. A shared overlay presents HTTPS recovery and certificate actions. URL classification is centralized, localization is expanded, and unit, integration, and end-to-end tests cover approval isolation and lifecycle behavior. 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/main/runtime/orca-runtime.ts (1)
2929-2963: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick winAdvertise
browser.certificate-trust.v1for desktop browser hosts too.
BrowserManagerwires certificate-trust handling through both desktop webviews and offscreen guests, so gating this capability onhasOffscreenalone leaves renderer-backed hosts unable to surface the enabled proceed action.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: d0f8da1a-4362-4b5a-92c8-45fd75af826a
📒 Files selected for processing (55)
docs/reference/browser-local-https-certificate-trust.mdsrc/main/browser/agent-browser-bridge.test.tssrc/main/browser/agent-browser-bridge.tssrc/main/browser/browser-certificate-challenge.tssrc/main/browser/browser-certificate-identity.tssrc/main/browser/browser-certificate-request-guard.tssrc/main/browser/browser-certificate-trust-controller.test.tssrc/main/browser/browser-certificate-trust-controller.tssrc/main/browser/browser-manager-grab.test.tssrc/main/browser/browser-manager.test.tssrc/main/browser/browser-manager.tssrc/main/browser/browser-session-registry.persistence.test.tssrc/main/browser/browser-session-registry.test.tssrc/main/browser/browser-session-registry.tssrc/main/index.tssrc/main/ipc/browser.test.tssrc/main/ipc/browser.tssrc/main/runtime/orca-runtime-browser.tssrc/main/runtime/orca-runtime.test.tssrc/main/runtime/orca-runtime.tssrc/main/runtime/rpc/methods/browser-core.tssrc/main/runtime/rpc/methods/browser-schemas.tssrc/main/runtime/runtime-rpc.test.tssrc/preload/api-types.tssrc/preload/index.tssrc/renderer/src/components/browser-pane/BrowserPane.tsxsrc/renderer/src/components/browser-pane/browser-load-failure-overlay.test.tsxsrc/renderer/src/components/browser-pane/browser-load-failure-overlay.tsxsrc/renderer/src/components/browser-pane/browser-notices.test.tssrc/renderer/src/components/browser-pane/browser-notices.tssrc/renderer/src/components/tab-bar/tab-create-entry-classifier.test.tssrc/renderer/src/components/tab-bar/tab-create-entry-url-classification.tssrc/renderer/src/hooks/useIpcEvents.tssrc/renderer/src/i18n/locales/en.jsonsrc/renderer/src/i18n/locales/es.jsonsrc/renderer/src/i18n/locales/ja.jsonsrc/renderer/src/i18n/locales/ko.jsonsrc/renderer/src/i18n/locales/zh.jsonsrc/renderer/src/runtime/remote-server-parity.test.tssrc/renderer/src/runtime/sync-runtime-graph-browser.test.tssrc/renderer/src/runtime/sync-runtime-graph.tssrc/renderer/src/runtime/web-session-tabs-sync.test.tssrc/renderer/src/runtime/web-session-tabs-sync.tssrc/renderer/src/store/slices/browser.test.tssrc/renderer/src/store/slices/browser.tssrc/renderer/src/web/web-preload-api.tssrc/shared/browser-certificate-errors.tssrc/shared/browser-url.test.tssrc/shared/browser-url.tssrc/shared/protocol-version.tssrc/shared/runtime-types.tssrc/shared/types.tstests/e2e/browser-local-https-certificate-trust.spec.tstests/e2e/helpers/local-https-test-certificate.tstests/e2e/helpers/local-https-test-server.ts
|
Superseded by #9104 — takes this design/implementation (credit @AmethystLiang), rebases onto current main, resolves conflicts, and applies adversarial hardening from review. Thanks for the solid design doc + full stack work. |
Only offer 'Proceed Anyway (Unsafe)' if the connected remote runtime advertises browser.certificate-trust.v1 support. Older runtimes cannot honor the request and would fail silently, creating a false affordance. Centralize certificate error normalization to prevent divergence between main and renderer certificate matching, and unify URL redaction for Kagi session token stripping across load-error paths.
4865ad5 to
e21a05a
Compare
Summary
Follow-up to the certificate-trust feature (issue #8454). Hardens the "Proceed Anyway (Unsafe)" affordance and dedupes the certificate-error helpers.
browser.certificate-trust.v1cannot honor a proceed request, soRemoteBrowserPagePanenow hides the proceed affordance until the connected runtime positively advertises the capability (probed viaruntimeEnvironmentSupportsCapability). The error page still renders — only the unactionable "Proceed Anyway" button is suppressed. Desktop/built browsers advertise the capability whenever they can host a page, so the local HTTPS-dev-server case keeps its proceed button.normalizeCertificateErrorintosrc/shared/browser-certificate-errors.tsso the main-process certificate-error handler and the renderer overlay can never silently diverge on challenge matching (browser-certificate-identity.tsre-exports it for existing importers).did-fail-loadpath and the synthesized certificate failure now build load errors through oneBrowserManager.buildLoadError, so Kagi session-token redaction can't be forgotten by a future call site.false, so a throw during challenge recording no longer presents as "the cert prompt never appears" with no trace.Screenshots
No visual change in the supported case. In the unsupported-runtime case the "Proceed Anyway (Unsafe)" button no longer appears on the load-failure overlay.
Testing
pnpm lint(oxlint on changed dirs — no new findings)pnpm typecheck(web + node projects — clean)pnpm test(browser-certificate-trust-controller.test.ts,runtime-rpc-client.test.ts— 34 passed)pnpm buildAI Review Report
Reviewed correctness of the capability gate, the helper extraction, and the logging change.
certificateFailure={null}suppresses only the proceed button — the overlay body is driven byloadError, so the error page still renders.browser.certificate-trust.v1is a conditional capability (advertised whenevercanBrowse), matchingbrowser.headless.v1, so desktop/built browsers keep proceed while pre-feature remote runtimes hide it.useEffectprobe has complete deps and acancelledguard against out-of-order resolution.normalizeCertificateErrorimporters still resolve after the move.Security Audit
.catch→ unsupported), so a probe error hides proceed rather than exposing an unactionable bypass.status.getcapability probe.Notes
The proceed affordance for the local webview pane (
BrowserPagePane) is intentionally left ungated — the local runtime always owns its browser pages and advertises the capability.