Trying to clear trusted self-signed URLCredential's from WKWebView

Hi,


One of the features of a browsing component am working on is to allow users to visit a potentially dangerous site (with a self-signed certificate for example) after being shown a warning explaining the dangers of said site and so on.


Have successfully allowed this by implementing the `WKNavigationDelegate` method:


func webView(_ webView: WKWebView, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void)

and returning a `URLCredential` using the `URLCredential(trust: someTrust)`, where `someTrust` is found in the challenge's protection space and the authentication method matches `NSURLAuthenticationMethodServerTrust`


The problem I am having is that the browsing component is also supposed to be able to clear any currently trusted sites without losing the current back/forward list.


Short of blowing away the `WKWebView` instance and initializing a new one with a new `WKWebViewConfiguration`, I am unable to acheive this. Am tryign to avoid blowing away the web view (if possible) as am currently required to keep the back/forward list, and as it is read-only, am unable to persist this if I **** the web view.


Have tried (on the web view instance configuration):


  • Removing the current values in the `websiteDataStore` for all `WKWebsiteDataType` options.
  • Re-creating the process pool and also checking and removing anything in the `URLCredentialStorage` and `URLCache`.
  • Ensuring any cached responses and cookies etc are cleared.


This causes any back/forward navigations to load from scratch, and also clear a lot of data - but if I revisit the untrusted site, the `didReceive: URLAuthenticationChallenge` method never fires and just goes straight to the site.

Have set the cache policy while debugging to always reload ignoring local and remote data.


Have also tried invoking the `reset` and `flush` methods on the active `URLSession`.


I think I have missed something from the docs RE: clearing stored credentials, or rather where/if they are stored relative to a `WKWebView` instance (what is shared what is not etc). Was under the impression that a `URLCredential` created using the `URLCredential(trust: someTrust)` uses the `.forSession` persistance enum, so assuming there must be some way to clear it.


Any help/input/pointing to specific docs would be greatly appreciated.

Up vote post of Neuronical Down vote post of Neuronical
644 views
Posted by
Neuronical
Reply

  • Hey there, have you ever found a solution to this problem? I am struggling with the same.

    n3bul4
Add a Comment