Changeset 249949 in webkit

Timestamp:

Sep 17, 2019 1:17:17 AM (5 years ago)

Author:

jiewen_tan@apple.com

Message:

[WebAuthn] Use WebPreferences instead of RuntimeEnabledFeatures in UIProcess
​https://bugs.webkit.org/show_bug.cgi?id=198176
<rdar://problem/55285709>

Reviewed by Youenn Fablet.

Source/WebCore:

No changes of behavior.

• Modules/webauthn/PublicKeyCredential.cpp:

(WebCore::PublicKeyCredential::isUserVerifyingPlatformAuthenticatorAvailable):
Resolves the promise with false immediately when the feature flag is false.

Source/WebKit:

This patch does the following two things:
1) It merges WebAuthenticationRequestData::creationOptions and requestOptions into a variant, and therefore
merges code paths that involve WebAuthenticationRequestData.
2) It teaches WebAuthenticationRequestData to store a WebPreferences such that AuthenticatorManager could utilize
runtime feature flags to turn features on or off.

• UIProcess/WebAuthentication/Authenticator.cpp:

(WebKit::Authenticator::handleRequest):

• UIProcess/WebAuthentication/AuthenticatorManager.cpp:

(WebKit::AuthenticatorManager::handleRequest):
(WebKit::AuthenticatorManager::clearState):
(WebKit::AuthenticatorManager::authenticatorAdded):
(WebKit::AuthenticatorManager::startDiscovery):
(WebKit::AuthenticatorManager::makeCredential): Deleted.
(WebKit::AuthenticatorManager::getAssertion): Deleted.

• UIProcess/WebAuthentication/AuthenticatorManager.h:
• UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:

(WebKit::LocalAuthenticator::makeCredential):
(WebKit::LocalAuthenticator::continueMakeCredentialAfterUserConsented):
(WebKit::LocalAuthenticator::continueMakeCredentialAfterAttested):
(WebKit::LocalAuthenticator::getAssertion):
(WebKit::LocalAuthenticator::continueGetAssertionAfterUserConsented):

• UIProcess/WebAuthentication/Cocoa/LocalService.mm:

(WebKit::LocalService::isAvailable):
Don't check RuntimeEnabledFeatures given it is for WebCore.

• UIProcess/WebAuthentication/WebAuthenticationRequestData.h:

(): Deleted.

• UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp:

(WebKit::WebAuthenticatorCoordinatorProxy::makeCredential):
(WebKit::WebAuthenticatorCoordinatorProxy::getAssertion):
(WebKit::WebAuthenticatorCoordinatorProxy::handleRequest):

• UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h:
• UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:

(WebKit::CtapAuthenticator::makeCredential):
(WebKit::CtapAuthenticator::continueMakeCredentialAfterResponseReceived const):
(WebKit::CtapAuthenticator::getAssertion):

• UIProcess/WebAuthentication/fido/U2fAuthenticator.cpp:

(WebKit::U2fAuthenticator::makeCredential):
(WebKit::U2fAuthenticator::checkExcludeList):
(WebKit::U2fAuthenticator::issueRegisterCommand):
(WebKit::U2fAuthenticator::getAssertion):
(WebKit::U2fAuthenticator::issueSignCommand):
(WebKit::U2fAuthenticator::continueRegisterCommandAfterResponseReceived):
(WebKit::U2fAuthenticator::continueSignCommandAfterResponseReceived):

Location:

trunk/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/Modules/webauthn/PublicKeyCredential.cpp (modified) (2 diffs)
• WebKit/ChangeLog (modified) (1 diff)
• WebKit/UIProcess/WebAuthentication/Authenticator.cpp (modified) (1 diff)
• WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp (modified) (4 diffs)
• WebKit/UIProcess/WebAuthentication/AuthenticatorManager.h (modified) (1 diff)
• WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm (modified) (19 diffs)
• WebKit/UIProcess/WebAuthentication/Cocoa/LocalService.mm (modified) (1 diff)
• WebKit/UIProcess/WebAuthentication/WebAuthenticationRequestData.h (modified) (2 diffs)
• WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp (modified) (2 diffs)
• WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h (modified) (2 diffs)
• WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp (modified) (3 diffs)
• WebKit/UIProcess/WebAuthentication/fido/U2fAuthenticator.cpp (modified) (8 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-09-17  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Use WebPreferences instead of RuntimeEnabledFeatures in UIProcess
+        https://bugs.webkit.org/show_bug.cgi?id=198176
+        <rdar://problem/55285709>
+
+        Reviewed by Youenn Fablet.
+
+        No changes of behavior.
+
+        * Modules/webauthn/PublicKeyCredential.cpp:
+        (WebCore::PublicKeyCredential::isUserVerifyingPlatformAuthenticatorAvailable):
+        Resolves the promise with false immediately when the feature flag is false.
+
 2019-09-17  Rob Buis  <rbuis@igalia.com>
 

trunk/Source/WebCore/Modules/webauthn/PublicKeyCredential.cpp

@@ -37 +37 @@
 #include "Page.h"
 #include "PublicKeyCredentialData.h"
+#include "RuntimeEnabledFeatures.h"
 #include <wtf/text/Base64.h>
 
@@ -74 +75 @@
 void PublicKeyCredential::isUserVerifyingPlatformAuthenticatorAvailable(Document& document, DOMPromiseDeferred<IDLBoolean>&& promise)
 {
+    if (!RuntimeEnabledFeatures::sharedFeatures().webAuthenticationLocalAuthenticatorEnabled()) {
+        promise.resolve(false);
+        return;
+    }
     document.page()->authenticatorCoordinator().isUserVerifyingPlatformAuthenticatorAvailable(WTFMove(promise));
 }

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2019-09-17  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Use WebPreferences instead of RuntimeEnabledFeatures in UIProcess
+        https://bugs.webkit.org/show_bug.cgi?id=198176
+        <rdar://problem/55285709>
+
+        Reviewed by Youenn Fablet.
+
+        This patch does the following two things:
+        1) It merges WebAuthenticationRequestData::creationOptions and requestOptions into a variant, and therefore
+        merges code paths that involve WebAuthenticationRequestData.
+        2) It teaches WebAuthenticationRequestData to store a WebPreferences such that AuthenticatorManager could utilize
+        runtime feature flags to turn features on or off.
+
+        * UIProcess/WebAuthentication/Authenticator.cpp:
+        (WebKit::Authenticator::handleRequest):
+        * UIProcess/WebAuthentication/AuthenticatorManager.cpp:
+        (WebKit::AuthenticatorManager::handleRequest):
+        (WebKit::AuthenticatorManager::clearState):
+        (WebKit::AuthenticatorManager::authenticatorAdded):
+        (WebKit::AuthenticatorManager::startDiscovery):
+        (WebKit::AuthenticatorManager::makeCredential): Deleted.
+        (WebKit::AuthenticatorManager::getAssertion): Deleted.
+        * UIProcess/WebAuthentication/AuthenticatorManager.h:
+        * UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:
+        (WebKit::LocalAuthenticator::makeCredential):
+        (WebKit::LocalAuthenticator::continueMakeCredentialAfterUserConsented):
+        (WebKit::LocalAuthenticator::continueMakeCredentialAfterAttested):
+        (WebKit::LocalAuthenticator::getAssertion):
+        (WebKit::LocalAuthenticator::continueGetAssertionAfterUserConsented):
+        * UIProcess/WebAuthentication/Cocoa/LocalService.mm:
+        (WebKit::LocalService::isAvailable):
+        Don't check RuntimeEnabledFeatures given it is for WebCore.
+        * UIProcess/WebAuthentication/WebAuthenticationRequestData.h:
+        (): Deleted.
+        * UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp:
+        (WebKit::WebAuthenticatorCoordinatorProxy::makeCredential):
+        (WebKit::WebAuthenticatorCoordinatorProxy::getAssertion):
+        (WebKit::WebAuthenticatorCoordinatorProxy::handleRequest):
+        * UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h:
+        * UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
+        (WebKit::CtapAuthenticator::makeCredential):
+        (WebKit::CtapAuthenticator::continueMakeCredentialAfterResponseReceived const):
+        (WebKit::CtapAuthenticator::getAssertion):
+        * UIProcess/WebAuthentication/fido/U2fAuthenticator.cpp:
+        (WebKit::U2fAuthenticator::makeCredential):
+        (WebKit::U2fAuthenticator::checkExcludeList):
+        (WebKit::U2fAuthenticator::issueRegisterCommand):
+        (WebKit::U2fAuthenticator::getAssertion):
+        (WebKit::U2fAuthenticator::issueSignCommand):
+        (WebKit::U2fAuthenticator::continueRegisterCommandAfterResponseReceived):
+        (WebKit::U2fAuthenticator::continueSignCommandAfterResponseReceived):
+
 2019-09-17  Carlos Garcia Campos  <cgarcia@igalia.com>
 

trunk/Source/WebKit/UIProcess/WebAuthentication/Authenticator.cpp

@@ -37 +37 @@
     m_pendingRequestData = data;
     // Enforce asynchronous execution of makeCredential/getAssertion.
-    RunLoop::main().dispatch([weakThis = makeWeakPtr(*this)] {
+    RunLoop::main().dispatch([weakThis = makeWeakPtr(*this), this] {
         if (!weakThis)
             return;
-        if (weakThis->m_pendingRequestData.isCreationRequest)
-            weakThis->makeCredential();
+        if (WTF::holds_alternative<WebCore::PublicKeyCredentialCreationOptions>(m_pendingRequestData.options))
+            makeCredential();
         else
-            weakThis->getAssertion();
+            getAssertion();
     });
 }

trunk/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp

@@ -29 +29 @@
 #if ENABLE(WEB_AUTHN)
 
+#include "WebPreferencesKeys.h"
 #include <WebCore/AuthenticatorTransport.h>
 #include <WebCore/PublicKeyCredentialCreationOptions.h>
@@ -120 +121 @@
 }
 
-void AuthenticatorManager::makeCredential(const Vector<uint8_t>& hash, const PublicKeyCredentialCreationOptions& options, Callback&& callback)
+void AuthenticatorManager::handleRequest(WebAuthenticationRequestData&& data, Callback&& callback)
 {
     using namespace AuthenticatorManagerInternal;
@@ -131 +132 @@
 
     // 1. Save request for async operations.
-    m_pendingRequestData = { hash, true, options, { } };
+    m_pendingRequestData = WTFMove(data);
     m_pendingCompletionHandler = WTFMove(callback);
-    initTimeOutTimer(options.timeout);
 
     // 2. Get available transports and start discovering authenticators on them.
-    startDiscovery(collectTransports(options.authenticatorSelection));
-}
-
-void AuthenticatorManager::getAssertion(const Vector<uint8_t>& hash, const PublicKeyCredentialRequestOptions& options, Callback&& callback)
-{
-    using namespace AuthenticatorManagerInternal;
-
-    if (m_pendingCompletionHandler) {
-        m_pendingCompletionHandler(ExceptionData { NotAllowedError, "This request has been cancelled by a new request."_s });
-        m_requestTimeOutTimer.stop();
-    }
-    clearState();
-
-    // 1. Save request for async operations.
-    m_pendingRequestData = { hash, false, { }, options };
-    m_pendingCompletionHandler = WTFMove(callback);
-    initTimeOutTimer(options.timeout);
-
-    // 2. Get available transports and start discovering authenticators on them.
-    ASSERT(m_services.isEmpty());
-    startDiscovery(collectTransports(options.allowCredentials));
+    WTF::switchOn(m_pendingRequestData.options, [&](const PublicKeyCredentialCreationOptions& options) {
+        initTimeOutTimer(options.timeout);
+        startDiscovery(collectTransports(options.authenticatorSelection));
+    }, [&](const  PublicKeyCredentialRequestOptions& options) {
+        initTimeOutTimer(options.timeout);
+        startDiscovery(collectTransports(options.allowCredentials));
+    });
 }
 
@@ -229 +215 @@
     using namespace AuthenticatorManagerInternal;
 
-    ASSERT(m_services.isEmpty() && transports.size() <= maxTransportNumber);
+    ASSERT(m_services.isEmpty() && transports.size() <= maxTransportNumber && m_pendingRequestData.preferences);
     for (auto& transport : transports) {
+        if (transport == AuthenticatorTransport::Internal && !m_pendingRequestData.preferences->store().getBoolValueForKey(WebPreferencesKey::webAuthenticationLocalAuthenticatorEnabledKey()))
+            continue;
         auto service = createService(transport, *this);
         service->startDiscovery();

trunk/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.h

@@ -55 +55 @@
     virtual ~AuthenticatorManager() = default;
 
-    void makeCredential(const Vector<uint8_t>& hash, const WebCore::PublicKeyCredentialCreationOptions&, Callback&&);
-    void getAssertion(const Vector<uint8_t>& hash, const WebCore::PublicKeyCredentialRequestOptions&, Callback&&);
+    void handleRequest(WebAuthenticationRequestData&&, Callback&&);
 
     virtual bool isMock() const { return false; }

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm

@@ -92 +92 @@
     ASSERT(m_state == State::Init);
     m_state = State::RequestReceived;
+    auto& creationOptions = WTF::get<PublicKeyCredentialCreationOptions>(requestData().options);
 
     // The following implements https://www.w3.org/TR/webauthn/#op-make-cred as of 5 December 2017.
@@ -99 +100 @@
     // Step 2.
     bool canFullfillPubKeyCredParams = false;
-    for (auto& pubKeyCredParam : requestData().creationOptions.pubKeyCredParams) {
+    for (auto& pubKeyCredParam : creationOptions.pubKeyCredParams) {
         if (pubKeyCredParam.type == PublicKeyCredentialType::PublicKey && pubKeyCredParam.alg == COSE::ES256) {
             canFullfillPubKeyCredParams = true;
@@ -111 +112 @@
 
     // Step 3.
-    HashSet<String> excludeCredentialIds = produceHashSet(requestData().creationOptions.excludeCredentials);
+    auto excludeCredentialIds = produceHashSet(creationOptions.excludeCredentials);
     if (!excludeCredentialIds.isEmpty()) {
         // Search Keychain for the RP ID.
@@ -117 +118 @@
             (id)kSecClass: (id)kSecClassKey,
             (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
-            (id)kSecAttrLabel: requestData().creationOptions.rp.id,
+            (id)kSecAttrLabel: creationOptions.rp.id,
             (id)kSecReturnAttributes: @YES,
             (id)kSecMatchLimit: (id)kSecMatchLimitAll,
@@ -155 +156 @@
     };
     m_connection->getUserConsent(
-        "allow " + requestData().creationOptions.rp.id + " to create a public key credential for " + requestData().creationOptions.user.name,
+        "allow " + creationOptions.rp.id + " to create a public key credential for " + creationOptions.user.name,
         WTFMove(callback));
 }
@@ -163 +164 @@
     ASSERT(m_state == State::RequestReceived);
     m_state = State::UserConsented;
+    auto& creationOptions = WTF::get<PublicKeyCredentialCreationOptions>(requestData().options);
 
     if (consent == LocalConnection::UserConsent::No) {
@@ -174 +176 @@
     NSDictionary* deleteQuery = @{
         (id)kSecClass: (id)kSecClassKey,
-        (id)kSecAttrLabel: requestData().creationOptions.rp.id,
-        (id)kSecAttrApplicationTag: [NSData dataWithBytes:requestData().creationOptions.user.idVector.data() length:requestData().creationOptions.user.idVector.size()],
+        (id)kSecAttrLabel: creationOptions.rp.id,
+        (id)kSecAttrApplicationTag: [NSData dataWithBytes:creationOptions.user.idVector.data() length:creationOptions.user.idVector.size()],
 #if HAVE(DATA_PROTECTION_KEYCHAIN)
         (id)kSecUseDataProtectionKeychain: @YES
@@ -196 +198 @@
         weakThis->continueMakeCredentialAfterAttested(privateKey, certificates, error);
     };
-    m_connection->getAttestation(requestData().creationOptions.rp.id, requestData().creationOptions.user.name, requestData().hash, WTFMove(callback));
+    m_connection->getAttestation(creationOptions.rp.id, creationOptions.user.name, requestData().hash, WTFMove(callback));
 }
 
@@ -205 +207 @@
     ASSERT(m_state == State::UserConsented);
     m_state = State::Attested;
+    auto& creationOptions = WTF::get<PublicKeyCredentialCreationOptions>(requestData().options);
 
     if (error) {
@@ -230 +233 @@
     {
         // -rk-ucrt is added by DeviceIdentity.Framework.
-        String label = makeString(requestData().creationOptions.user.name, "@", requestData().creationOptions.rp.id, "-rk-ucrt");
+        String label = makeString(creationOptions.user.name, "@", creationOptions.rp.id, "-rk-ucrt");
         NSDictionary *credentialIdQuery = @{
             (id)kSecClass: (id)kSecClassKey,
@@ -265 +268 @@
         };
         NSDictionary *updateParams = @{
-            (id)kSecAttrLabel: requestData().creationOptions.rp.id,
-            (id)kSecAttrApplicationTag: [NSData dataWithBytes:requestData().creationOptions.user.idVector.data() length:requestData().creationOptions.user.idVector.size()],
+            (id)kSecAttrLabel: creationOptions.rp.id,
+            (id)kSecAttrApplicationTag: [NSData dataWithBytes:creationOptions.user.idVector.data() length:creationOptions.user.idVector.size()],
         };
         status = SecItemUpdate((__bridge CFDictionaryRef)updateQuery, (__bridge CFDictionaryRef)updateParams);
@@ -309 +312 @@
 
     // Step 12.
-    auto authData = buildAuthData(requestData().creationOptions.rp.id, makeCredentialFlags, counter, attestedCredentialData);
+    auto authData = buildAuthData(creationOptions.rp.id, makeCredentialFlags, counter, attestedCredentialData);
 
     // Step 13. Apple Attestation Cont'
@@ -336 +339 @@
         attestationStatementMap[cbor::CBORValue("x5c")] = cbor::CBORValue(WTFMove(cborArray));
     }
-    auto attestationObject = buildAttestationObject(WTFMove(authData), "Apple", WTFMove(attestationStatementMap), requestData().creationOptions.attestation);
+    auto attestationObject = buildAttestationObject(WTFMove(authData), "Apple", WTFMove(attestationStatementMap), creationOptions.attestation);
 
     receiveRespond(PublicKeyCredentialData { ArrayBuffer::create(credentialId.data(), credentialId.size()), true, nullptr, ArrayBuffer::create(attestationObject.data(), attestationObject.size()), nullptr, nullptr, nullptr, WTF::nullopt });
@@ -346 +349 @@
     ASSERT(m_state == State::Init);
     m_state = State::RequestReceived;
+    auto& requestOptions = WTF::get<PublicKeyCredentialRequestOptions>(requestData().options);
 
     // The following implements https://www.w3.org/TR/webauthn/#op-get-assertion as of 5 December 2017.
@@ -352 +356 @@
     // Step 12 is implicitly captured by all UnknownError exception callbacks.
     // Step 3-5. Unlike the spec, if an allow list is provided and there is no intersection between existing ones and the allow list, we always return NotAllowedError.
-    HashSet<String> allowCredentialIds = produceHashSet(requestData().requestOptions.allowCredentials);
-    if (!requestData().requestOptions.allowCredentials.isEmpty() && allowCredentialIds.isEmpty()) {
+    auto allowCredentialIds = produceHashSet(requestOptions.allowCredentials);
+    if (!requestOptions.allowCredentials.isEmpty() && allowCredentialIds.isEmpty()) {
         receiveRespond(ExceptionData { NotAllowedError, "No matched credentials are found in the platform attached authenticator."_s });
         return;
@@ -362 +366 @@
         (id)kSecClass: (id)kSecClassKey,
         (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPrivate,
-        (id)kSecAttrLabel: requestData().requestOptions.rpId,
+        (id)kSecAttrLabel: requestOptions.rpId,
         (id)kSecReturnAttributes: @YES,
         (id)kSecMatchLimit: (id)kSecMatchLimitAll,
@@ -381 +385 @@
 
     NSArray *intersectedCredentialsAttributes = nil;
-    if (requestData().requestOptions.allowCredentials.isEmpty())
+    if (requestOptions.allowCredentials.isEmpty())
         intersectedCredentialsAttributes = (NSArray *)attributesArrayRef;
     else {
@@ -417 +421 @@
     StringView idStringView { static_cast<const UChar*>([idData bytes]), static_cast<unsigned>([idData length]) };
     m_connection->getUserConsent(
-        makeString("log into ", requestData().requestOptions.rpId, " with ", idStringView),
+        makeString("log into ", requestOptions.rpId, " with ", idStringView),
         (__bridge SecAccessControlRef)selectedCredentialAttributes[(id)kSecAttrAccessControl],
         WTFMove(callback));
@@ -437 +441 @@
     // Therefore, it is always zero.
     uint32_t counter = 0;
-    auto authData = buildAuthData(requestData().requestOptions.rpId, getAssertionFlags, counter, { });
+    auto authData = buildAuthData(WTF::get<PublicKeyCredentialRequestOptions>(requestData().options).rpId, getAssertionFlags, counter, { });
 
     // Step 11.

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalService.mm

@@ -45 +45 @@
 bool LocalService::isAvailable()
 {
-    // FIXME(198176)
-    if (!WebCore::RuntimeEnabledFeatures::sharedFeatures().webAuthenticationLocalAuthenticatorEnabled())
-        return false;
-
     auto context = adoptNS([allocLAContextInstance() init]);
     NSError *error = nil;

trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticationRequestData.h

@@ -28 +28 @@
 #if ENABLE(WEB_AUTHN)
 
+#include "WebPreferences.h"
 #include <WebCore/PublicKeyCredentialCreationOptions.h>
 #include <WebCore/PublicKeyCredentialRequestOptions.h>
+#include <wtf/Variant.h>
 #include <wtf/Vector.h>
 
@@ -36 +38 @@
 struct WebAuthenticationRequestData {
     Vector<uint8_t> hash;
-    // FIXME: Maybe we could make an ABC of Options and then use safe casting here.
-    bool isCreationRequest { true };
-    WebCore::PublicKeyCredentialCreationOptions creationOptions;
-    WebCore::PublicKeyCredentialRequestOptions requestOptions;
+    Variant<WebCore::PublicKeyCredentialCreationOptions, WebCore::PublicKeyCredentialRequestOptions> options;
+    RefPtr<WebPreferences> preferences;
 };
 

trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp

@@ -56 +56 @@
 void WebAuthenticatorCoordinatorProxy::makeCredential(uint64_t messageId, const Vector<uint8_t>& hash, const WebCore::PublicKeyCredentialCreationOptions& options)
 {
-    auto callback = [messageId, weakThis = makeWeakPtr(*this)] (Variant<WebCore::PublicKeyCredentialData, WebCore::ExceptionData>&& result) {
-        ASSERT(RunLoop::isMain());
-        if (!weakThis)
-            return;
-
-        WTF::switchOn(result, [&](const WebCore::PublicKeyCredentialData& data) {
-            weakThis->requestReply(messageId, data, { });
-        }, [&](const  WebCore::ExceptionData& exception) {
-            weakThis->requestReply(messageId, { }, exception);
-        });
-    };
-    m_webPageProxy.websiteDataStore().authenticatorManager().makeCredential(hash, options, WTFMove(callback));
+    handleRequest(messageId, { hash, options, m_webPageProxy.preferences().copy() });
 }
 
 void WebAuthenticatorCoordinatorProxy::getAssertion(uint64_t messageId, const Vector<uint8_t>& hash, const WebCore::PublicKeyCredentialRequestOptions& options)
+{
+    handleRequest(messageId, { hash, options, m_webPageProxy.preferences().copy() });
+}
+
+void WebAuthenticatorCoordinatorProxy::handleRequest(uint64_t messageId, WebAuthenticationRequestData&& data)
 {
     auto callback = [messageId, weakThis = makeWeakPtr(*this)] (Variant<WebCore::PublicKeyCredentialData, WebCore::ExceptionData>&& result) {
@@ -83 +77 @@
         });
     };
-    m_webPageProxy.websiteDataStore().authenticatorManager().getAssertion(hash, options, WTFMove(callback));
+    m_webPageProxy.websiteDataStore().authenticatorManager().handleRequest(WTFMove(data), WTFMove(callback));
 }
 

trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h

@@ -44 +44 @@
 class WebPageProxy;
 
+struct WebAuthenticationRequestData;
+
 class WebAuthenticatorCoordinatorProxy : private IPC::MessageReceiver, public CanMakeWeakPtr<WebAuthenticatorCoordinatorProxy> {
     WTF_MAKE_FAST_ALLOCATED;
@@ -63 +65 @@
     void requestReply(uint64_t messageId, const WebCore::PublicKeyCredentialData&, const WebCore::ExceptionData&);
 
+    void handleRequest(uint64_t messageId, WebAuthenticationRequestData&&);
+
     WebPageProxy& m_webPageProxy;
 };

trunk/Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp

@@ -53 +53 @@
 {
     ASSERT(!m_isDowngraded);
-    auto cborCmd = encodeMakeCredenitalRequestAsCBOR(requestData().hash, requestData().creationOptions, m_info.options().userVerificationAvailability());
+    auto cborCmd = encodeMakeCredenitalRequestAsCBOR(requestData().hash, WTF::get<PublicKeyCredentialCreationOptions>(requestData().options), m_info.options().userVerificationAvailability());
     m_driver->transact(WTFMove(cborCmd), [weakThis = makeWeakPtr(*this)](Vector<uint8_t>&& data) {
         ASSERT(RunLoop::isMain());
@@ -64 +64 @@
 void CtapAuthenticator::continueMakeCredentialAfterResponseReceived(Vector<uint8_t>&& data) const
 {
-    auto response = readCTAPMakeCredentialResponse(data, requestData().creationOptions.attestation);
+    auto response = readCTAPMakeCredentialResponse(data, WTF::get<PublicKeyCredentialCreationOptions>(requestData().options).attestation);
     if (!response) {
         auto error = getResponseCode(data);
@@ -79 +79 @@
 {
     ASSERT(!m_isDowngraded);
-    auto cborCmd = encodeGetAssertionRequestAsCBOR(requestData().hash, requestData().requestOptions, m_info.options().userVerificationAvailability());
+    auto cborCmd = encodeGetAssertionRequestAsCBOR(requestData().hash, WTF::get<PublicKeyCredentialRequestOptions>(requestData().options), m_info.options().userVerificationAvailability());
     m_driver->transact(WTFMove(cborCmd), [weakThis = makeWeakPtr(*this)](Vector<uint8_t>&& data) {
         ASSERT(RunLoop::isMain());

trunk/Source/WebKit/UIProcess/WebAuthentication/fido/U2fAuthenticator.cpp

@@ -56 +56 @@
 void U2fAuthenticator::makeCredential()
 {
-    if (!isConvertibleToU2fRegisterCommand(requestData().creationOptions)) {
+    auto& creationOptions = WTF::get<PublicKeyCredentialCreationOptions>(requestData().options);
+    if (!isConvertibleToU2fRegisterCommand(creationOptions)) {
         receiveRespond(ExceptionData { NotSupportedError, "Cannot convert the request to U2F command."_s });
         return;
     }
-    if (!requestData().creationOptions.excludeCredentials.isEmpty()) {
+    if (!creationOptions.excludeCredentials.isEmpty()) {
         ASSERT(!m_nextListIndex);
         checkExcludeList(m_nextListIndex++);
@@ -70 +71 @@
 void U2fAuthenticator::checkExcludeList(size_t index)
 {
-    if (index >= requestData().creationOptions.excludeCredentials.size()) {
+    auto& creationOptions = WTF::get<PublicKeyCredentialCreationOptions>(requestData().options);
+    if (index >= creationOptions.excludeCredentials.size()) {
         issueRegisterCommand();
         return;
     }
-    auto u2fCmd = convertToU2fCheckOnlySignCommand(requestData().hash, requestData().creationOptions, requestData().creationOptions.excludeCredentials[index]);
+    auto u2fCmd = convertToU2fCheckOnlySignCommand(requestData().hash, creationOptions, creationOptions.excludeCredentials[index]);
     ASSERT(u2fCmd);
     issueNewCommand(WTFMove(*u2fCmd), CommandType::CheckOnlyCommand);
@@ -81 +83 @@
 void U2fAuthenticator::issueRegisterCommand()
 {
-    auto u2fCmd = convertToU2fRegisterCommand(requestData().hash, requestData().creationOptions);
+    auto u2fCmd = convertToU2fRegisterCommand(requestData().hash, WTF::get<PublicKeyCredentialCreationOptions>(requestData().options));
     ASSERT(u2fCmd);
     issueNewCommand(WTFMove(*u2fCmd), CommandType::RegisterCommand);
@@ -88 +90 @@
 void U2fAuthenticator::getAssertion()
 {
-    if (!isConvertibleToU2fSignCommand(requestData().requestOptions)) {
+    if (!isConvertibleToU2fSignCommand(WTF::get<PublicKeyCredentialRequestOptions>(requestData().options))) {
         receiveRespond(ExceptionData { NotSupportedError, "Cannot convert the request to U2F command."_s });
         return;
@@ -98 +100 @@
 void U2fAuthenticator::issueSignCommand(size_t index)
 {
-    if (index >= requestData().requestOptions.allowCredentials.size()) {
+    auto& requestOptions = WTF::get<PublicKeyCredentialRequestOptions>(requestData().options);
+    if (index >= requestOptions.allowCredentials.size()) {
         receiveRespond(ExceptionData { NotAllowedError, "No credentials from the allowCredentials list is found in the authenticator."_s });
         return;
     }
-    auto u2fCmd = convertToU2fSignCommand(requestData().hash, requestData().requestOptions, requestData().requestOptions.allowCredentials[index].idVector, m_isAppId);
+    auto u2fCmd = convertToU2fSignCommand(requestData().hash, requestOptions, requestOptions.allowCredentials[index].idVector, m_isAppId);
     ASSERT(u2fCmd);
     issueNewCommand(WTFMove(*u2fCmd), CommandType::SignCommand);
@@ -153 +156 @@
     switch (apduResponse.status()) {
     case ApduResponse::Status::SW_NO_ERROR: {
-        auto response = readU2fRegisterResponse(requestData().creationOptions.rp.id, apduResponse.data(), requestData().creationOptions.attestation);
+        auto response = readU2fRegisterResponse(WTF::get<PublicKeyCredentialCreationOptions>(requestData().options).rp.id, apduResponse.data(), WTF::get<PublicKeyCredentialCreationOptions>(requestData().options).attestation);
         if (!response) {
             receiveRespond(ExceptionData { UnknownError, "Couldn't parse the U2F register response."_s });
@@ -199 +202 @@
 void U2fAuthenticator::continueSignCommandAfterResponseReceived(ApduResponse&& apduResponse)
 {
+    auto& requestOptions = WTF::get<PublicKeyCredentialRequestOptions>(requestData().options);
     switch (apduResponse.status()) {
     case ApduResponse::Status::SW_NO_ERROR: {
         Optional<PublicKeyCredentialData> response;
         if (m_isAppId) {
-            ASSERT(requestData().requestOptions.extensions && !requestData().requestOptions.extensions->appid.isNull());
-            response = readU2fSignResponse(requestData().requestOptions.extensions->appid, requestData().requestOptions.allowCredentials[m_nextListIndex - 1].idVector, apduResponse.data());
+            ASSERT(requestOptions.extensions && !requestOptions.extensions->appid.isNull());
+            response = readU2fSignResponse(requestOptions.extensions->appid, requestOptions.allowCredentials[m_nextListIndex - 1].idVector, apduResponse.data());
         } else
-            response = readU2fSignResponse(requestData().requestOptions.rpId, requestData().requestOptions.allowCredentials[m_nextListIndex - 1].idVector, apduResponse.data());
+            response = readU2fSignResponse(requestOptions.rpId, requestOptions.allowCredentials[m_nextListIndex - 1].idVector, apduResponse.data());
         if (!response) {
             receiveRespond(ExceptionData { UnknownError, "Couldn't parse the U2F sign response."_s });
@@ -222 +226 @@
         return;
     case ApduResponse::Status::SW_WRONG_DATA:
-        if (requestData().requestOptions.extensions && !requestData().requestOptions.extensions->appid.isNull()) {
+        if (requestOptions.extensions && !requestOptions.extensions->appid.isNull()) {
             if (!m_isAppId) {
                 m_isAppId = true;