Bug 248847 - [WebAuthn] googleLegacyAppidSupport extension is obsolete and can be removed
Summary: [WebAuthn] googleLegacyAppidSupport extension is obsolete and can be removed
Status: RESOLVED DUPLICATE of bug 254848
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: pascoe@apple.com
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-12-06 17:04 PST by Martin Kreichgauer
Modified: 2024-04-03 08:57 PDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Kreichgauer 2022-12-06 17:04:46 PST 
In https://bugs.webkit.org/show_bug.cgi?id=202427, WebKit added support for the non-standard googleLegacyAppidSupport WebAuthn request extension. If set by a google.com origin, this extension causes the WebAuthn API create() call to create a U2F API style credential bound to the hard-coded App ID `https://www.gstatic.com/securitykey/origins.json`, rather than a credential bound to a WebAuthn RP ID. Google.com stopped relying on this behavior several months ago. This means the googleLegacyAppidSupport extension is now obsolete and can be removed. (Here is Chromium’s change removing this extension: https://chromium-review.googlesource.com/c/chromium/src/+/3958174.)

Note that google.com continues to rely on the ability to _assert_ legacy U2F/CTAP1 credentials bound to the `https://www.gstatic.com/securitykey/origins.json` U2F App ID for the foreseeable future.
Comment 1 pascoe@apple.com 2022-12-06 19:32:18 PST 
Thanks Martin.
Comment 2 Radar WebKit Bug Importer 2022-12-08 12:32:28 PST 
<rdar://problem/103141593>
Comment 3 pascoe@apple.com 2024-04-03 08:57:00 PDT 

*** This bug has been marked as a duplicate of bug 254848 ***