From 235fec4316180950dd10bba2cdba6e32552c28fd Mon Sep 17 00:00:00 2001 From: Max Hilbrunner Date: Wed, 11 Aug 2021 15:49:58 +0200 Subject: [PATCH] Docs: Add warnings about no SSL/(D)TLS revocation (cherry picked from commit 4eb427afb8ef22631ccf261362c1bb49776b987b) --- doc/classes/HTTPClient.xml | 1 + doc/classes/HTTPRequest.xml | 3 +-- doc/classes/PacketPeerDTLS.xml | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/classes/HTTPClient.xml b/doc/classes/HTTPClient.xml index acddb9d6aec..2bde751273b 100644 --- a/doc/classes/HTTPClient.xml +++ b/doc/classes/HTTPClient.xml @@ -10,6 +10,7 @@ For more information on HTTP, see https://developer.mozilla.org/en-US/docs/Web/HTTP (or read RFC 2616 to get it straight from the source: https://tools.ietf.org/html/rfc2616). [b]Note:[/b] When performing HTTP requests from a project exported to HTML5, keep in mind the remote server may not allow requests from foreign origins due to [url=https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS]CORS[/url]. If you host the server in question, you should modify its backend to allow requests from foreign origins by adding the [code]Access-Control-Allow-Origin: *[/code] HTTP header. [b]Note:[/b] SSL/TLS support is currently limited to TLS 1.0, TLS 1.1, and TLS 1.2. Attempting to connect to a TLS 1.3-only server will return an error. + [b]Warning:[/b] SSL/TLS certificate revocation and certificate pinning are currently not supported. Revoked certificates are accepted as long as they are otherwise valid. If this is a concern, you may want to use automatically managed certificates with a short validity period. https://docs.godotengine.org/en/3.3/tutorials/networking/http_client_class.html diff --git a/doc/classes/HTTPRequest.xml b/doc/classes/HTTPRequest.xml index e322d623532..04f410ac969 100644 --- a/doc/classes/HTTPRequest.xml +++ b/doc/classes/HTTPRequest.xml @@ -6,6 +6,7 @@ A node with the ability to send HTTP requests. Uses [HTTPClient] internally. Can be used to make HTTP requests, i.e. download or upload files or web content via HTTP. + [b]Warning:[/b] See the notes and warnings on [HTTPClient] for limitations, especially regarding SSL security. [b]Example of contacting a REST API and printing one of its returned fields:[/b] [codeblock] func _ready(): @@ -68,8 +69,6 @@ HttpRequest will automatically handle decompression of response bodies. A "Accept-Encoding" header will be automatically added to each of your requests, unless one is already specified. Any response with a "Content-Encoding: gzip" header will automatically be decompressed and delivered to you as a uncompressed bytes. - [b]Note:[/b] When performing HTTP requests from a project exported to HTML5, keep in mind the remote server may not allow requests from foreign origins due to [url=https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS]CORS[/url]. If you host the server in question, you should modify its backend to allow requests from foreign origins by adding the [code]Access-Control-Allow-Origin: *[/code] HTTP header. - [b]Note:[/b] SSL/TLS support is currently limited to TLS 1.0, TLS 1.1, and TLS 1.2. Attempting to connect to a TLS 1.3-only server will return an error. https://docs.godotengine.org/en/3.3/tutorials/networking/http_request_class.html diff --git a/doc/classes/PacketPeerDTLS.xml b/doc/classes/PacketPeerDTLS.xml index ffd55941807..c7c5087a7c2 100644 --- a/doc/classes/PacketPeerDTLS.xml +++ b/doc/classes/PacketPeerDTLS.xml @@ -5,6 +5,7 @@ This class represents a DTLS peer connection. It can be used to connect to a DTLS server, and is returned by [method DTLSServer.take_connection]. + [b]Warning:[/b] SSL/TLS certificate revocation and certificate pinning are currently not supported. Revoked certificates are accepted as long as they are otherwise valid. If this is a concern, you may want to use automatically managed certificates with a short validity period.