Attachment 368798 Details for Bug 196046 – Patch for landing

[patch] Patch for landing

bug-196046-20190502113633.patch (text/plain), 3.26 KB, created by Jiewen Tan on 2019-05-02 11:36:34 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: Jiewen Tan

Created: 2019-05-02 11:36:34 PDT

Size: 3.26 KB

patch

obsolete

>Subversion Revision: 244866
>diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
>index 70a44407fce85f7b7262deef6a0ebb9d78514973..2e77cec434527c5884a93484e6466dfdff5b0f7b 100644
>--- a/Source/WebCore/ChangeLog
>+++ b/Source/WebCore/ChangeLog
>@@ -1,3 +1,20 @@
>+2019-05-01  Jiewen Tan  <jiewen_tan@apple.com>
>+
>+        [WebAuthN] Add a quirk for google.com when processing AppID extension
>+        https://bugs.webkit.org/show_bug.cgi?id=196046
>+        <rdar://problem/49088479>
>+
>+        Reviewed by Brent Fulgham.
>+
>+        Relaxing the same site restriction on AppID while in google.com and any
>+        of its subdomains to allow two www.gstatic.com AppIDs to slip in.
>+
>+        Covered by manual tests on Google.com.
>+
>+        * Modules/webauthn/AuthenticatorCoordinator.cpp:
>+        (WebCore::AuthenticatorCoordinatorInternal::needsAppIdQuirks):
>+        (WebCore::AuthenticatorCoordinatorInternal::processAppIdExtension):
>+
> 2019-05-01  Jiewen Tan  <jiewen_tan@apple.com>
> 
>         [WebAuthN] Adopt SecurityOrigin::isMatchingRegistrableDomainSuffix()
>diff --git a/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp b/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp
>index 9573927f304bbd092a74f87f7dfcb30bd26f325f..a4d20acdb7c970c1cb2e94ed7fdab4a6843c661a 100644
>--- a/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp
>+++ b/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp
>@@ -80,6 +80,17 @@ static Vector<uint8_t> produceClientDataJsonHash(const ArrayBuffer& clientDataJs
>     return crypto->computeHash();
> }
> 
>+static bool needsAppIdQuirks(const String& host, const String& appId)
>+{
>+    // FIXME(197524): Remove this quirk in 2023. As an early adopter of U2F features, Google has a large number of
>+    // existing device registrations that authenticate 'google.com' against 'gstatic.com'. Firefox and other browsers
>+    // have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to
>+    // allow existing Google users to seamlessly transition to proper WebAuthN behavior.
>+    if (equalLettersIgnoringASCIICase(host, "google.com") || host.endsWithIgnoringASCIICase(".google.com"))
>+        return (appId == "https://www.gstatic.com/securitykey/origins.json"_s) || (appId == "https://www.gstatic.com/securitykey/a/google.com/origins.json"_s);
>+    return false;
>+}
>+
> // The following roughly implements Step 1-3 of the spec to avoid the complexity of making unnecessary network requests:
> // https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid
> // It follows what Chrome and Firefox do, see:
>@@ -96,7 +107,7 @@ static String processAppIdExtension(const SecurityOrigin& facetId, const String&
> 
>     // Step 3. Relax the comparison to same site.
>     URL appIdURL(URL(), appId);
>-    if (!appIdURL.isValid() || facetId.protocol() != appIdURL.protocol() || RegistrableDomain(appIdURL) != RegistrableDomain::uncheckedCreateFromHost(facetId.host()))
>+    if (!appIdURL.isValid() || facetId.protocol() != appIdURL.protocol() || (RegistrableDomain(appIdURL) != RegistrableDomain::uncheckedCreateFromHost(facetId.host()) && !needsAppIdQuirks(facetId.host(), appId)))
>         return String();
>     return appId;
> }

Actions: View | Formatted Diff | Diff

Attachments on bug 196046: 368761 | 368798