WebKit Bugzilla
Attachment 368761 Details for
Bug 196046
: [WebAuthN] Add a quirk for google.com when processing AppID extension
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-196046-20190501215834.patch (text/plain), 2.83 KB, created by
Jiewen Tan
on 2019-05-01 21:58:36 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Jiewen Tan
Created:
2019-05-01 21:58:36 PDT
Size:
2.83 KB
patch
obsolete
>Subversion Revision: 244866 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 70a44407fce85f7b7262deef6a0ebb9d78514973..7bfdfd201a081e0a5c01a57755689b790417e7c9 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,20 @@ >+2019-05-01 Jiewen Tan <jiewen_tan@apple.com> >+ >+ [WebAuthN] Add a quirk for google.com when processing AppID extension >+ https://bugs.webkit.org/show_bug.cgi?id=196046 >+ <rdar://problem/49088479> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Relaxing the same site restriction on AppID while in google.com and any >+ of its subdomains to allow two www.gstatic.com AppIDs to slip in. >+ >+ Covered by manual tests on Google.com. >+ >+ * Modules/webauthn/AuthenticatorCoordinator.cpp: >+ (WebCore::AuthenticatorCoordinatorInternal::needsAppIdQuirks): >+ (WebCore::AuthenticatorCoordinatorInternal::processAppIdExtension): >+ > 2019-05-01 Jiewen Tan <jiewen_tan@apple.com> > > [WebAuthN] Adopt SecurityOrigin::isMatchingRegistrableDomainSuffix() >diff --git a/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp b/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp >index 9573927f304bbd092a74f87f7dfcb30bd26f325f..3e9bf9fdab6287b083f6d8d716be5d1b283ff225 100644 >--- a/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp >+++ b/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp >@@ -80,6 +80,13 @@ static Vector<uint8_t> produceClientDataJsonHash(const ArrayBuffer& clientDataJs > return crypto->computeHash(); > } > >+static bool needsAppIdQuirks(const String& host, const String& appId) >+{ >+ if (equalLettersIgnoringASCIICase(host, "google.com") || host.endsWithIgnoringASCIICase(".google.com")) >+ return (appId == "https://www.gstatic.com/securitykey/origins.json"_s) || (appId == "https://www.gstatic.com/securitykey/a/google.com/origins.json"_s); >+ return false; >+} >+ > // The following roughly implements Step 1-3 of the spec to avoid the complexity of making unnecessary network requests: > // https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid > // It follows what Chrome and Firefox do, see: >@@ -96,7 +103,7 @@ static String processAppIdExtension(const SecurityOrigin& facetId, const String& > > // Step 3. Relax the comparison to same site. > URL appIdURL(URL(), appId); >- if (!appIdURL.isValid() || facetId.protocol() != appIdURL.protocol() || RegistrableDomain(appIdURL) != RegistrableDomain::uncheckedCreateFromHost(facetId.host())) >+ if (!appIdURL.isValid() || facetId.protocol() != appIdURL.protocol() || (RegistrableDomain(appIdURL) != RegistrableDomain::uncheckedCreateFromHost(facetId.host()) && !needsAppIdQuirks(facetId.host(), appId))) > return String(); > return appId; > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=368761">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
bfulgham
:
review+
bfulgham
:
commit-queue-
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 196046
: 368761 |
368798