Bug 248847

Summary:	[WebAuthn] googleLegacyAppidSupport extension is obsolete and can be removed
Product:	WebKit	Reporter:	Martin Kreichgauer <martinkr>
Component:	WebKit Misc.	Assignee:	pascoe <pascoe>
Status:	RESOLVED DUPLICATE
Severity:	Normal	CC:	pascoe, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Description Martin Kreichgauer 2022-12-06 17:04:46 PST

In https://bugs.webkit.org/show_bug.cgi?id=202427, WebKit added support for the non-standard googleLegacyAppidSupport WebAuthn request extension. If set by a google.com origin, this extension causes the WebAuthn API create() call to create a U2F API style credential bound to the hard-coded App ID `https://www.gstatic.com/securitykey/origins.json`, rather than a credential bound to a WebAuthn RP ID. Google.com stopped relying on this behavior several months ago. This means the googleLegacyAppidSupport extension is now obsolete and can be removed. (Here is Chromium’s change removing this extension: https://chromium-review.googlesource.com/c/chromium/src/+/3958174.)

Note that google.com continues to rely on the ability to _assert_ legacy U2F/CTAP1 credentials bound to the `https://www.gstatic.com/securitykey/origins.json` U2F App ID for the foreseeable future.

Comment 1 pascoe@apple.com 2022-12-06 19:32:18 PST

Thanks Martin.

Comment 2 Radar WebKit Bug Importer 2022-12-08 12:32:28 PST

<rdar://problem/103141593>

Comment 3 pascoe@apple.com 2024-04-03 08:57:00 PDT


*** This bug has been marked as a duplicate of bug 254848 ***