Changeset 291018 in webkit

Timestamp:

Mar 8, 2022 3:51:45 PM (4 months ago)

Author:

J Pascoe

Message:

[WebAuthn] Using WebAuthn within cross-origin iframe elements
​https://bugs.webkit.org/show_bug.cgi?id=222240
rdar://problem/74830748

Reviewed by Brent Fulgham.

Source/WebCore:

This patch relaxes the requirement to perform a Web Authentication assertion
inside an i-frame with the "publickey-credentials-get" feature policy from
'same-site' to 'cross-origin with consent'.

There is an additional requirement that there is only a single cross-origin
parent to present to the user in the prompt. If we can't display the updated
prompt, then cross-origin assertions are not allowed.

Test: http/wpt/webauthn/public-key-credential-cross-origin.https.html

• Modules/credentialmanagement/CredentialsContainer.cpp:

(WebCore::CredentialsContainer::scopeAndSingleParent):
(WebCore::CredentialsContainer::get):
(WebCore::CredentialsContainer::isCreate):
(WebCore::CredentialsContainer::scope): Deleted.

• Modules/credentialmanagement/CredentialsContainer.h:
• Modules/webauthn/AuthenticatorCoordinator.cpp:

(WebCore::AuthenticatorCoordinator::discoverFromExternalSource const):

• Modules/webauthn/AuthenticatorCoordinator.h:
• Modules/webauthn/AuthenticatorCoordinatorClient.h:

Source/WebKit:

This patch relaxes the requirement to perform a Web Authentication assertion
inside an i-frame with the "publickey-credentials-get" feature policy from
'same-site' to 'cross-origin with consent'.

There is an additional requirement that there is only a single cross-origin
parent to present to the user in the prompt. If we can't display the updated
prompt, then cross-origin assertions are not allowed.

• Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h:
• UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm:

(WebKit::configureAssertionOptions):
(WebKit::configurationAssertionRequestContext):
(WebKit::WebAuthenticatorCoordinatorProxy::contextForRequest):

• UIProcess/WebAuthentication/WebAuthenticationRequestData.h:
• UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp:

(WebKit::WebAuthenticatorCoordinatorProxy::makeCredential):
(WebKit::WebAuthenticatorCoordinatorProxy::getAssertion):
(WebKit::WebAuthenticatorCoordinatorProxy::handleRequest):

• UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h:
• UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.messages.in:
• WebProcess/WebAuthentication/WebAuthenticatorCoordinator.cpp:

(WebKit::WebAuthenticatorCoordinator::getAssertion):

• WebProcess/WebAuthentication/WebAuthenticatorCoordinator.h:

LayoutTests:

Update existing tests and create new test for cross-origin, non same-site i-frames.

• http/wpt/webauthn/public-key-credential-cross-origin.https-expected.txt: Added.
• http/wpt/webauthn/public-key-credential-cross-origin.https.html: Added.
• http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https-expected.txt:
• http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https.html:
• http/wpt/webauthn/resources/public-key-credential-cross-origin.https.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-cross-origin.https-expected.txt (added)
• LayoutTests/http/wpt/webauthn/public-key-credential-cross-origin.https.html (added)
• LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https-expected.txt (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https.html (modified) (2 diffs)
• LayoutTests/http/wpt/webauthn/resources/public-key-credential-cross-origin.https.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp (modified) (3 diffs)
• Source/WebCore/Modules/credentialmanagement/CredentialsContainer.h (modified) (1 diff)
• Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp (modified) (4 diffs)
• Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.h (modified) (2 diffs)
• Source/WebCore/Modules/webauthn/AuthenticatorCoordinatorClient.h (modified) (3 diffs)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h (modified) (1 diff)
• Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm (modified) (4 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm (modified) (5 diffs)
• Source/WebKit/UIProcess/WebAuthentication/WebAuthenticationRequestData.h (modified) (2 diffs)
• Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp (modified) (2 diffs)
• Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.messages.in (modified) (1 diff)
• Source/WebKit/WebAuthnProcess/WebAuthnConnectionToWebProcess.cpp (modified) (1 diff)
• Source/WebKit/WebProcess/WebAuthentication/WebAuthenticatorCoordinator.cpp (modified) (3 diffs)
• Source/WebKit/WebProcess/WebAuthentication/WebAuthenticatorCoordinator.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2022-03-08  J Pascoe  <j_pascoe@apple.com>
+
+        [WebAuthn] Using WebAuthn within cross-origin iframe elements
+        https://bugs.webkit.org/show_bug.cgi?id=222240
+        rdar://problem/74830748
+
+        Reviewed by Brent Fulgham.
+
+        Update existing tests and create new test for cross-origin, non same-site i-frames.
+
+        * http/wpt/webauthn/public-key-credential-cross-origin.https-expected.txt: Added.
+        * http/wpt/webauthn/public-key-credential-cross-origin.https.html: Added.
+        * http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https-expected.txt:
+        * http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https.html:
+        * http/wpt/webauthn/resources/public-key-credential-cross-origin.https.html: Added.
+
 2022-03-08  Chris Fleizach  <cfleizach@apple.com>
 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https-expected.txt

@@ -5 +5 @@
 PASS Tests that a frame that is same-site, cross-origin without publickey-credentials-get feature policy cannot use get().
 PASS Tests that a frame that is same-site, cross-origin with publickey-credentials-get feature policy can use get().
-PASS Tests that a frame that is cross-origin, NOT same-site  with publickey-credentials-get feature policy cannot use get().
+PASS Tests that a frame using an ip address that is cross-origin, NOT same-site with publickey-credentials-get feature policy cannot use get().
 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https.html

@@ -1 @@
-<!DOCTYPE html><!-- webkit-test-runner [ WebAuthenticationModernEnabled=true ] -->
+<!DOCTYPE html><!-- webkit-test-runner [ WebAuthenticationModernEnabled=false ] -->
 <html>
 <head>
@@ -38 +38 @@
         promise_test(t => {
             return withCrossOriginIframe("samesite-iframe.html", "publickey-credentials-get").then((message) => {
-                assert_equals(message.data, "Throw NotAllowedError: The origin of the document is not the same as its ancestors.");
+                assert_equals(message.data, "Throw SecurityError: The effective domain of the document is not a valid domain.");
             });
-        }, "Tests that a frame that is cross-origin, NOT same-site  with publickey-credentials-get feature policy cannot use get().");
+        }, "Tests that a frame using an ip address that is cross-origin, NOT same-site with publickey-credentials-get feature policy cannot use get().");
     </script>
 </body>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2022-03-08  J Pascoe  <j_pascoe@apple.com>
+
+        [WebAuthn] Using WebAuthn within cross-origin iframe elements
+        https://bugs.webkit.org/show_bug.cgi?id=222240
+        rdar://problem/74830748
+
+        Reviewed by Brent Fulgham.
+
+        This patch relaxes the requirement to perform a Web Authentication assertion
+        inside an i-frame with the "publickey-credentials-get" feature policy from
+        'same-site' to 'cross-origin with consent'.
+
+        There is an additional requirement that there is only a single cross-origin
+        parent to present to the user in the prompt. If we can't display the updated
+        prompt, then cross-origin assertions are not allowed.
+
+        Test: http/wpt/webauthn/public-key-credential-cross-origin.https.html
+
+        * Modules/credentialmanagement/CredentialsContainer.cpp:
+        (WebCore::CredentialsContainer::scopeAndSingleParent):
+        (WebCore::CredentialsContainer::get):
+        (WebCore::CredentialsContainer::isCreate):
+        (WebCore::CredentialsContainer::scope): Deleted.
+        * Modules/credentialmanagement/CredentialsContainer.h:
+        * Modules/webauthn/AuthenticatorCoordinator.cpp:
+        (WebCore::AuthenticatorCoordinator::discoverFromExternalSource const):
+        * Modules/webauthn/AuthenticatorCoordinator.h:
+        * Modules/webauthn/AuthenticatorCoordinatorClient.h:
+
 2022-03-08  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp

@@ -47 +47 @@
 }
 
-WebAuthn::Scope CredentialsContainer::scope()
+ScopeAndCrossOriginParent CredentialsContainer::scopeAndCrossOriginParent() const
 {
     if (!m_document)
-        return WebAuthn::Scope::CrossOrigin;
+        return std::pair { WebAuthn::Scope::CrossOrigin, std::nullopt };
 
-    bool isSameOrigin = true;
     bool isSameSite = true;
     auto& origin = m_document->securityOrigin();
     auto& url = m_document->url();
+    std::optional<SecurityOriginData> crossOriginParent;
     for (auto* document = m_document->parentDocument(); document; document = document->parentDocument()) {
         if (!origin.isSameOriginDomain(document->securityOrigin()) && !areRegistrableDomainsEqual(url, document->url()))
             isSameSite = false;
-        if (!origin.isSameOriginAs(document->securityOrigin()))
-            isSameOrigin = false;
+        if (!crossOriginParent && !origin.isSameOriginAs(document->securityOrigin()))
+            crossOriginParent = origin.data();
     }
 
-    if (isSameOrigin)
-        return WebAuthn::Scope::SameOrigin;
+    if (!crossOriginParent)
+        return std::pair { WebAuthn::Scope::SameOrigin, std::nullopt };
     if (isSameSite)
-        return WebAuthn::Scope::SameSite;
-    return WebAuthn::Scope::CrossOrigin;
+        return std::pair { WebAuthn::Scope::SameSite, std::nullopt };
+    return std::pair { WebAuthn::Scope::CrossOrigin, crossOriginParent };
 }
 
@@ -99 +99 @@
     }
 
-    m_document->page()->authenticatorCoordinator().discoverFromExternalSource(*m_document, WTFMove(options), scope(), WTFMove(promise));
+    m_document->page()->authenticatorCoordinator().discoverFromExternalSource(*m_document, WTFMove(options), scopeAndCrossOriginParent(), WTFMove(promise));
 }
 
@@ -134 +134 @@
     }
 
-    m_document->page()->authenticatorCoordinator().create(*m_document, options.publicKey.value(), scope(), WTFMove(options.signal), WTFMove(promise));
+    m_document->page()->authenticatorCoordinator().create(*m_document, options.publicKey.value(), scopeAndCrossOriginParent().first, WTFMove(options.signal), WTFMove(promise));
 }
 

trunk/Source/WebCore/Modules/credentialmanagement/CredentialsContainer.h

@@ -59 +59 @@
     CredentialsContainer(WeakPtr<Document>&&);
 
-    WebAuthn::Scope scope();
+    ScopeAndCrossOriginParent scopeAndCrossOriginParent() const;
 
     WeakPtr<Document> m_document;

trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp

@@ -185 +185 @@
 }
 
-void AuthenticatorCoordinator::discoverFromExternalSource(const Document& document, CredentialRequestOptions&& requestOptions, WebAuthn::Scope scope, CredentialPromise&& promise) const
+void AuthenticatorCoordinator::discoverFromExternalSource(const Document& document, CredentialRequestOptions&& requestOptions, const ScopeAndCrossOriginParent& scopeAndCrossOriginParent, CredentialPromise&& promise) const
 {
     using namespace AuthenticatorCoordinatorInternal;
@@ -196 +196 @@
     // Step 1, 3, 13 are handled by the caller.
     // Step 2.
-    // This implements https://www.w3.org/TR/webauthn-2/#sctn-permissions-policy except only same-site, cross-origin is permitted.
-    if (scope != WebAuthn::Scope::SameOrigin && !(scope == WebAuthn::Scope::SameSite && isFeaturePolicyAllowedByDocumentAndAllOwners(FeaturePolicy::Type::PublickeyCredentialsGetRule, document, LogFeaturePolicyFailure::No))) {
+    // This implements https://www.w3.org/TR/webauthn-2/#sctn-permissions-policy
+    if (scopeAndCrossOriginParent.first != WebAuthn::Scope::SameOrigin && !isFeaturePolicyAllowedByDocumentAndAllOwners(FeaturePolicy::Type::PublickeyCredentialsGetRule, document, LogFeaturePolicyFailure::No)) {
         promise.reject(Exception { NotAllowedError, "The origin of the document is not the same as its ancestors."_s });
         return;
@@ -231 +231 @@
 
     // Step 10-12.
-    auto clientDataJson = buildClientDataJson(ClientDataType::Get, options.challenge, callerOrigin, scope);
+    auto clientDataJson = buildClientDataJson(ClientDataType::Get, options.challenge, callerOrigin, scopeAndCrossOriginParent.first);
     auto clientDataJsonHash = buildClientDataJsonHash(clientDataJson);
 
@@ -255 +255 @@
     };
     // Async operations are dispatched and handled in the messenger.
-    m_client->getAssertion(*frame, callerOrigin, clientDataJsonHash, options, requestOptions.mediation, WTFMove(callback));
+    m_client->getAssertion(*frame, callerOrigin, clientDataJsonHash, options, requestOptions.mediation, scopeAndCrossOriginParent, WTFMove(callback));
 }
 

trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.h

@@ -46 +46 @@
 struct PublicKeyCredentialRequestOptions;
 struct CredentialRequestOptions;
+struct SecurityOriginData;
 
 template<typename IDLType> class DOMPromiseDeferred;
 
 using CredentialPromise = DOMPromiseDeferred<IDLNullable<IDLInterface<BasicCredential>>>;
+using ScopeAndCrossOriginParent = std::pair<WebAuthn::Scope, std::optional<SecurityOriginData>>;
 
 class AuthenticatorCoordinator final {
@@ -60 +62 @@
     // The following methods implement static methods of PublicKeyCredential.
     void create(const Document&, const PublicKeyCredentialCreationOptions&, WebAuthn::Scope, RefPtr<AbortSignal>&&, CredentialPromise&&) const;
-    void discoverFromExternalSource(const Document&, CredentialRequestOptions&&, WebAuthn::Scope, CredentialPromise&&) const;
+    void discoverFromExternalSource(const Document&, CredentialRequestOptions&&, const ScopeAndCrossOriginParent&, CredentialPromise&&) const;
     void isUserVerifyingPlatformAuthenticatorAvailable(DOMPromiseDeferred<IDLBoolean>&&) const;
     void isConditionalMediationAvailable(DOMPromiseDeferred<IDLBoolean>&&) const;

trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinatorClient.h

@@ -28 +28 @@
 #if ENABLE(WEB_AUTHN)
 
+#include "AuthenticatorCoordinator.h"
 #include "ExceptionData.h"
 #include <wtf/CompletionHandler.h>
 #include <wtf/WeakPtr.h>
+
+namespace WebAuthn {
+enum class Scope;
+}
 
 namespace WebCore {
@@ -44 +49 @@
 struct PublicKeyCredentialCreationOptions;
 struct PublicKeyCredentialRequestOptions;
+struct SecurityOriginData;
 
 using RequestCompletionHandler = CompletionHandler<void(WebCore::AuthenticatorResponseData&&, WebCore::AuthenticatorAttachment, WebCore::ExceptionData&&)>;
@@ -56 +62 @@
 
     virtual void makeCredential(const Frame&, const SecurityOrigin&, const Vector<uint8_t>&, const PublicKeyCredentialCreationOptions&, RequestCompletionHandler&&) = 0;
-    virtual void getAssertion(const Frame&, const SecurityOrigin&, const Vector<uint8_t>&, const PublicKeyCredentialRequestOptions&, MediationRequirement, RequestCompletionHandler&&) = 0;
+    virtual void getAssertion(const Frame&, const SecurityOrigin&, const Vector<uint8_t>&, const PublicKeyCredentialRequestOptions&, MediationRequirement, const ScopeAndCrossOriginParent&, RequestCompletionHandler&&) = 0;
     virtual void isConditionalMediationAvailable(QueryCompletionHandler&&) = 0;
     virtual void isUserVerifyingPlatformAuthenticatorAvailable(QueryCompletionHandler&&) = 0;

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2022-03-08  J Pascoe  <j_pascoe@apple.com>
+
+        [WebAuthn] Using WebAuthn within cross-origin iframe elements
+        https://bugs.webkit.org/show_bug.cgi?id=222240
+        rdar://problem/74830748
+
+        Reviewed by Brent Fulgham.
+
+        This patch relaxes the requirement to perform a Web Authentication assertion
+        inside an i-frame with the "publickey-credentials-get" feature policy from
+        'same-site' to 'cross-origin with consent'.
+
+        There is an additional requirement that there is only a single cross-origin
+        parent to present to the user in the prompt. If we can't display the updated
+        prompt, then cross-origin assertions are not allowed. 
+
+        * Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h:
+        * UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm:
+        (WebKit::configureAssertionOptions):
+        (WebKit::configurationAssertionRequestContext):
+        (WebKit::WebAuthenticatorCoordinatorProxy::contextForRequest):
+        * UIProcess/WebAuthentication/WebAuthenticationRequestData.h:
+        * UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp:
+        (WebKit::WebAuthenticatorCoordinatorProxy::makeCredential):
+        (WebKit::WebAuthenticatorCoordinatorProxy::getAssertion):
+        (WebKit::WebAuthenticatorCoordinatorProxy::handleRequest):
+        * UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h:
+        * UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.messages.in:
+        * WebProcess/WebAuthentication/WebAuthenticatorCoordinator.cpp:
+        (WebKit::WebAuthenticatorCoordinator::getAssertion):
+        * WebProcess/WebAuthentication/WebAuthenticatorCoordinator.h:
+
 2022-03-08  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h

@@ -168 +168 @@
 @property (nonatomic, nullable, readonly, copy) NSArray<ASCPublicKeyCredentialDescriptor *> *allowedCredentials;
 
+@property (nonatomic, nullable, copy) NSString *destinationSiteForCrossSiteAssertion;
+
 @end
 

trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm

@@ -823 +823 @@
         });
     };
-    _panel->handleRequest({ WTFMove(hash), [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt }, WTFMove(callback));
+    _panel->handleRequest({ WTFMove(hash), [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(callback));
 #endif
 }
@@ -837 +837 @@
         });
     };
-    _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt }, WTFMove(callback));
+    _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(callback));
 #endif
 }
@@ -887 +887 @@
         });
     };
-    _panel->handleRequest({ WTFMove(hash), [_WKWebAuthenticationPanel convertToCoreRequestOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt }, WTFMove(callback));
+    _panel->handleRequest({ WTFMove(hash), [_WKWebAuthenticationPanel convertToCoreRequestOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(callback));
 #endif
 }
@@ -901 +901 @@
         });
     };
-    _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreRequestOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt }, WTFMove(callback));
+    _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreRequestOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(callback));
 #endif
 }

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm

@@ -173 +173 @@
 }
 
-static RetainPtr<ASCCredentialRequestContext> configureRegistrationRequestContext(const PublicKeyCredentialCreationOptions& options, Vector<uint8_t> hash)
+static inline void setGlobalFrameIDForContext(RetainPtr<ASCCredentialRequestContext> requestContext, std::optional<WebCore::GlobalFrameIdentifier> globalFrameID)
+{
+    if (globalFrameID && [requestContext respondsToSelector:@selector(setGlobalFrameID:)]) {
+        auto ascGlobalFrameID = adoptNS([allocASCGlobalFrameIdentifierInstance() init]);
+        ascGlobalFrameID.get().webFrameID = [NSNumber numberWithUnsignedLong:globalFrameID->frameID.toUInt64()];
+        ascGlobalFrameID.get().webPageID = [NSNumber numberWithUnsignedLong:globalFrameID->pageID.toUInt64()];
+        requestContext.get().globalFrameID = ascGlobalFrameID.get();
+    }
+}
+
+static RetainPtr<ASCCredentialRequestContext> configureRegistrationRequestContext(const PublicKeyCredentialCreationOptions& options, const Vector<uint8_t>& hash, std::optional<WebCore::GlobalFrameIdentifier> globalFrameID)
 {
     ASCCredentialRequestTypes requestTypes = ASCCredentialRequestTypePlatformPublicKeyRegistration | ASCCredentialRequestTypeSecurityKeyPublicKeyRegistration;
@@ -194 +204 @@
     auto requestContext = adoptNS([allocASCCredentialRequestContextInstance() initWithRequestTypes:requestTypes]);
     [requestContext setRelyingPartyIdentifier:options.rp.id];
+    setGlobalFrameIDForContext(requestContext, globalFrameID);
 
     auto credentialCreationOptions = adoptNS([allocASCPublicKeyCredentialCreationOptionsInstance() init]);
@@ -237 +248 @@
 }
 
-static RetainPtr<ASCCredentialRequestContext> configurationAssertionRequestContext(const PublicKeyCredentialRequestOptions& options, Vector<uint8_t> hash, std::optional<WebCore::MediationRequirement> mediation, std::optional<WebCore::GlobalFrameIdentifier> globalFrameID)
+static inline RetainPtr<ASCPublicKeyCredentialAssertionOptions> configureAssertionOptions(const PublicKeyCredentialRequestOptions& options, const Vector<uint8_t>& hash, ASCPublicKeyCredentialKind kind, const std::optional<SecurityOriginData>& parentOrigin, RetainPtr<NSMutableArray<ASCPublicKeyCredentialDescriptor *>> allowedCredentials, RetainPtr<NSString> userVerification)
+{
+    auto assertionOptions = adoptNS(allocASCPublicKeyCredentialAssertionOptionsInstance());
+    if ([assertionOptions respondsToSelector:@selector(initWithKind:relyingPartyIdentifier:clientDataHash:userVerificationPreference:allowedCredentials:)]) {
+        auto nsHash = toNSData(hash);
+        [assertionOptions initWithKind:ASCPublicKeyCredentialKindPlatform relyingPartyIdentifier:options.rpId clientDataHash:nsHash.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
+    } else {
+        auto challenge = WebCore::toNSData(options.challenge);
+        [assertionOptions initWithKind:ASCPublicKeyCredentialKindPlatform relyingPartyIdentifier:options.rpId challenge:challenge.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
+    }
+    if (options.extensions && [assertionOptions respondsToSelector:@selector(setExtensions:)])
+        [assertionOptions setExtensions:toASCExtensions(*options.extensions).get()];
+    if (parentOrigin && [assertionOptions respondsToSelector:@selector(setDestinationSiteForCrossSiteAssertion:)])
+        assertionOptions.get().destinationSiteForCrossSiteAssertion = parentOrigin->toString();
+    else if (parentOrigin && ![assertionOptions respondsToSelector:@selector(setDestinationSiteForCrossSiteAssertion:)])
+        return nil;
+    return assertionOptions;
+}
+
+static RetainPtr<ASCCredentialRequestContext> configurationAssertionRequestContext(const PublicKeyCredentialRequestOptions& options, const Vector<uint8_t>& hash, std::optional<WebCore::MediationRequirement> mediation, std::optional<WebCore::GlobalFrameIdentifier> globalFrameID, std::optional<WebCore::SecurityOriginData>& parentOrigin)
 {
     ASCCredentialRequestTypes requestTypes = ASCCredentialRequestTypePlatformPublicKeyAssertion | ASCCredentialRequestTypeSecurityKeyPublicKeyAssertion;
@@ -263 +293 @@
     if (mediation == MediationRequirement::Conditional && [requestContext respondsToSelector:@selector(setRequestStyle:)])
         requestContext.get().requestStyle = ASCredentialRequestStyleAutoFill;
-    if (globalFrameID && [requestContext respondsToSelector:@selector(setGlobalFrameID:)]) {
-        auto ascGlobalFrameID = adoptNS([allocASCGlobalFrameIdentifierInstance() init]);
-        ascGlobalFrameID.get().webFrameID = [NSNumber numberWithUnsignedLong:globalFrameID->frameID.toUInt64()];
-        ascGlobalFrameID.get().webPageID = [NSNumber numberWithUnsignedLong:globalFrameID->pageID.toUInt64()];
-        requestContext.get().globalFrameID = ascGlobalFrameID.get();
-    }
+    setGlobalFrameIDForContext(requestContext, globalFrameID);
 
     if (requestTypes & ASCCredentialRequestTypePlatformPublicKeyAssertion) {
-        auto assertionOptions = adoptNS(allocASCPublicKeyCredentialAssertionOptionsInstance());
-        if ([assertionOptions respondsToSelector:@selector(initWithKind:relyingPartyIdentifier:clientDataHash:userVerificationPreference:allowedCredentials:)]) {
-            auto nsHash = toNSData(hash);
-            [assertionOptions initWithKind:ASCPublicKeyCredentialKindPlatform relyingPartyIdentifier:options.rpId clientDataHash:nsHash.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
-        } else {
-            auto challenge = WebCore::toNSData(options.challenge);
-            [assertionOptions initWithKind:ASCPublicKeyCredentialKindPlatform relyingPartyIdentifier:options.rpId challenge:challenge.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
-        }
-        if (options.extensions && [assertionOptions respondsToSelector:@selector(setExtensions:)])
-            [assertionOptions setExtensions:toASCExtensions(*options.extensions).get()];
-
+        auto assertionOptions = configureAssertionOptions(options, hash, ASCPublicKeyCredentialKindPlatform, parentOrigin, allowedCredentials, userVerification);
+        if (!assertionOptions)
+            return nil;
         [requestContext setPlatformKeyCredentialAssertionOptions:assertionOptions.get()];
     }
 
     if (requestTypes & ASCCredentialRequestTypeSecurityKeyPublicKeyAssertion) {
-        auto assertionOptions = adoptNS(allocASCPublicKeyCredentialAssertionOptionsInstance());
-        if ([assertionOptions respondsToSelector:@selector(initWithKind:relyingPartyIdentifier:clientDataHash:userVerificationPreference:allowedCredentials:)]) {
-            auto nsHash = toNSData(hash);
-            [assertionOptions initWithKind:ASCPublicKeyCredentialKindSecurityKey relyingPartyIdentifier:options.rpId clientDataHash:nsHash.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
-        } else {
-            auto challenge = WebCore::toNSData(options.challenge);
-            [assertionOptions initWithKind:ASCPublicKeyCredentialKindSecurityKey relyingPartyIdentifier:options.rpId challenge:challenge.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
-        }
-        if (options.extensions && [assertionOptions respondsToSelector:@selector(setExtensions:)])
-            [assertionOptions setExtensions:toASCExtensions(*options.extensions).get()];
-
+        auto assertionOptions = configureAssertionOptions(options, hash, ASCPublicKeyCredentialKindSecurityKey, parentOrigin, allowedCredentials, userVerification);
+        if (!assertionOptions)
+            return nil;
         [requestContext setSecurityKeyCredentialAssertionOptions:assertionOptions.get()];
     }
@@ -307 +316 @@
     RetainPtr<ASCCredentialRequestContext> result;
     WTF::switchOn(requestData.options, [&](const PublicKeyCredentialCreationOptions& options) {
-        result = configureRegistrationRequestContext(options, requestData.hash);
+        result = configureRegistrationRequestContext(options, requestData.hash, requestData.globalFrameID);
     }, [&](const PublicKeyCredentialRequestOptions& options) {
-        result = configurationAssertionRequestContext(options, requestData.hash, requestData.mediation, requestData.globalFrameID);
+        result = configurationAssertionRequestContext(options, requestData.hash, requestData.mediation, requestData.globalFrameID, requestData.parentOrigin);
     });
     return result;

trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticationRequestData.h

@@ -40 +40 @@
 #include <wtf/WeakPtr.h>
 
+namespace WebCore {
+struct SecurityOriginData;
+}
+
 namespace WebKit {
 
@@ -59 +63 @@
     WeakPtr<API::WebAuthenticationPanel> weakPanel;
     std::optional<WebCore::MediationRequirement> mediation;
+    std::optional<WebCore::SecurityOriginData> parentOrigin;
 };
 

trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp

@@ -59 +59 @@
 void WebAuthenticatorCoordinatorProxy::makeCredential(FrameIdentifier frameId, FrameInfoData&& frameInfo, Vector<uint8_t>&& hash, PublicKeyCredentialCreationOptions&& options, bool processingUserGesture, RequestCompletionHandler&& handler)
 {
-    handleRequest({ WTFMove(hash), WTFMove(options), m_webPageProxy, WebAuthenticationPanelResult::Unavailable, nullptr, GlobalFrameIdentifier { m_webPageProxy.webPageID(), frameId }, WTFMove(frameInfo), processingUserGesture, String(), nullptr, std::nullopt }, WTFMove(handler));
+    handleRequest({ WTFMove(hash), WTFMove(options), m_webPageProxy, WebAuthenticationPanelResult::Unavailable, nullptr, GlobalFrameIdentifier { m_webPageProxy.webPageID(), frameId }, WTFMove(frameInfo), processingUserGesture, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(handler));
 }
 
-void WebAuthenticatorCoordinatorProxy::getAssertion(FrameIdentifier frameId, FrameInfoData&& frameInfo, Vector<uint8_t>&& hash, PublicKeyCredentialRequestOptions&& options, MediationRequirement mediation, bool processingUserGesture, RequestCompletionHandler&& handler)
+void WebAuthenticatorCoordinatorProxy::getAssertion(FrameIdentifier frameId, FrameInfoData&& frameInfo, Vector<uint8_t>&& hash, PublicKeyCredentialRequestOptions&& options, MediationRequirement mediation, std::optional<WebCore::SecurityOriginData> parentOrigin, bool processingUserGesture, RequestCompletionHandler&& handler)
 {
-    handleRequest({ WTFMove(hash), WTFMove(options), m_webPageProxy, WebAuthenticationPanelResult::Unavailable, nullptr, GlobalFrameIdentifier { m_webPageProxy.webPageID(), frameId }, WTFMove(frameInfo), processingUserGesture, String(), nullptr, mediation }, WTFMove(handler));
+    handleRequest({ WTFMove(hash), WTFMove(options), m_webPageProxy, WebAuthenticationPanelResult::Unavailable, nullptr, GlobalFrameIdentifier { m_webPageProxy.webPageID(), frameId }, WTFMove(frameInfo), processingUserGesture, String(), nullptr, mediation, parentOrigin }, WTFMove(handler));
 }
 
@@ -75 +75 @@
         if (result) {
 #if HAVE(UNIFIED_ASC_AUTH_UI)
-                if (!authenticatorManager.isMock() && !authenticatorManager.isVirtual()) {
-                    auto context = contextForRequest(WTFMove(data));
-                    // performRequest calls out to ASCAgent which will then call [_WKWebAuthenticationPanel makeCredential/getAssertionWithChallenge]
-                    // which calls authenticatorManager.handleRequest(..)
-                    performRequest(context, WTFMove(handler));
+            if (!authenticatorManager.isMock() && !authenticatorManager.isVirtual()) {
+                auto context = contextForRequest(WTFMove(data));
+                if (context.get() == nullptr) {
+                    handler({ }, (AuthenticatorAttachment)0, ExceptionData { NotAllowedError, "The origin of the document is not the same as its ancestors."_s });
                     return;
                 }
+                // performRequest calls out to ASCAgent which will then call [_WKWebAuthenticationPanel makeCredential/getAssertionWithChallenge]
+                // which calls authenticatorManager.handleRequest(..)
+                performRequest(context, WTFMove(handler));
+                return;
+            }
+#else
+            if (data.parentOrigin && !authenticatorManager.isMock() && !authenticatorManager.isVirtual()) {
+                handler({ }, (AuthenticatorAttachment)0, ExceptionData { NotAllowedError, "The origin of the document is not the same as its ancestors."_s });
+                return;
+            }
 #endif // HAVE(UNIFIED_ASC_AUTH_UI)
 

trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h

@@ -72 +72 @@
     // Receivers.
     void makeCredential(WebCore::FrameIdentifier, FrameInfoData&&, Vector<uint8_t>&& hash, WebCore::PublicKeyCredentialCreationOptions&&, bool processingUserGesture, RequestCompletionHandler&&);
-    void getAssertion(WebCore::FrameIdentifier, FrameInfoData&&, Vector<uint8_t>&& hash, WebCore::PublicKeyCredentialRequestOptions&&, WebCore::CredentialRequestOptions::MediationRequirement, bool processingUserGesture, RequestCompletionHandler&&);
+    void getAssertion(WebCore::FrameIdentifier, FrameInfoData&&, Vector<uint8_t>&& hash, WebCore::PublicKeyCredentialRequestOptions&&, WebCore::CredentialRequestOptions::MediationRequirement, std::optional<WebCore::SecurityOriginData>, bool processingUserGesture, RequestCompletionHandler&&);
     void isUserVerifyingPlatformAuthenticatorAvailable(QueryCompletionHandler&&);
     void isConditionalMediationAvailable(QueryCompletionHandler&&);

trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.messages.in

@@ -28 +28 @@
 
     MakeCredential(WebCore::FrameIdentifier frameID, struct WebKit::FrameInfoData frameInfo, Vector<uint8_t> hash, struct WebCore::PublicKeyCredentialCreationOptions options, bool processingUserGesture) -> (struct WebCore::AuthenticatorResponseData data, enum:int WebCore::AuthenticatorAttachment attachment, struct WebCore::ExceptionData exception)
-    GetAssertion(WebCore::FrameIdentifier frameID, struct WebKit::FrameInfoData frameInfo, Vector<uint8_t> hash, struct WebCore::PublicKeyCredentialRequestOptions options, enum:uint8_t WebCore::CredentialRequestOptions::MediationRequirement mediation, bool processingUserGesture) -> (struct WebCore::AuthenticatorResponseData data, enum:int WebCore::AuthenticatorAttachment attachment, struct WebCore::ExceptionData exception)
+    GetAssertion(WebCore::FrameIdentifier frameID, struct WebKit::FrameInfoData frameInfo, Vector<uint8_t> hash, struct WebCore::PublicKeyCredentialRequestOptions options, enum:uint8_t WebCore::CredentialRequestOptions::MediationRequirement mediation, std::optional<WebCore::SecurityOriginData> parentOrigin, bool processingUserGesture) -> (struct WebCore::AuthenticatorResponseData data, enum:int WebCore::AuthenticatorAttachment attachment, struct WebCore::ExceptionData exception)
     isConditionalMediationAvailable() -> (bool result)
     IsUserVerifyingPlatformAuthenticatorAvailable() -> (bool result)

trunk/Source/WebKit/WebAuthnProcess/WebAuthnConnectionToWebProcess.cpp

@@ -97 +97 @@
 void WebAuthnConnectionToWebProcess::makeCredential(Vector<uint8_t>&& hash, PublicKeyCredentialCreationOptions&& options, bool processingUserGesture, RequestCompletionHandler&& handler)
 {
-    handleRequest({ WTFMove(hash), WTFMove(options), nullptr, WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, processingUserGesture, String(), nullptr, std::nullopt }, WTFMove(handler));
+    handleRequest({ WTFMove(hash), WTFMove(options), nullptr, WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, processingUserGesture, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(handler));
 }
 
 void WebAuthnConnectionToWebProcess::getAssertion(Vector<uint8_t>&& hash, PublicKeyCredentialRequestOptions&& options, bool processingUserGesture, RequestCompletionHandler&& handler)
 {
-    handleRequest({ WTFMove(hash), WTFMove(options), nullptr, WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, processingUserGesture, String(), nullptr, std::nullopt }, WTFMove(handler));
+    handleRequest({ WTFMove(hash), WTFMove(options), nullptr, WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, processingUserGesture, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(handler));
 }
 

trunk/Source/WebKit/WebProcess/WebAuthentication/WebAuthenticatorCoordinator.cpp

@@ -47 +47 @@
 #include <WebCore/SecurityOrigin.h>
 #include <WebCore/UserGestureIndicator.h>
+#include <WebCore/WebAuthenticationConstants.h>
 
 #undef WEBAUTHN_RELEASE_LOG
@@ -94 +95 @@
 }
 
-void WebAuthenticatorCoordinator::getAssertion(const Frame& frame, const SecurityOrigin&, const Vector<uint8_t>& hash, const PublicKeyCredentialRequestOptions& options, MediationRequirement mediation, RequestCompletionHandler&& handler)
+void WebAuthenticatorCoordinator::getAssertion(const Frame& frame, const SecurityOrigin&, const Vector<uint8_t>& hash, const PublicKeyCredentialRequestOptions& options, MediationRequirement mediation, const ScopeAndCrossOriginParent& scopeAndCrossOriginParent, RequestCompletionHandler&& handler)
 {
     auto* webFrame = WebFrame::fromCoreFrame(frame);
@@ -107 +108 @@
 #endif
     if (!useWebAuthnProcess) {
-        m_webPage.sendWithAsyncReply(Messages::WebAuthenticatorCoordinatorProxy::GetAssertion(webFrame->frameID(), webFrame->info(), hash, options, mediation, isProcessingUserGesture), WTFMove(handler));
+        m_webPage.sendWithAsyncReply(Messages::WebAuthenticatorCoordinatorProxy::GetAssertion(webFrame->frameID(), webFrame->info(), hash, options, mediation, scopeAndCrossOriginParent.second, isProcessingUserGesture), WTFMove(handler));
+        return;
+    }
+    if (scopeAndCrossOriginParent.first == WebAuthn::Scope::CrossOrigin) {
+        handler({ }, (AuthenticatorAttachment)0, ExceptionData { NotAllowedError, "The origin of the document is not the same as its ancestors."_s });
         return;
     }

trunk/Source/WebKit/WebProcess/WebAuthentication/WebAuthenticatorCoordinator.h

@@ -42 +42 @@
     // WebCore::AuthenticatorCoordinatorClient
     void makeCredential(const WebCore::Frame&, const WebCore::SecurityOrigin&, const Vector<uint8_t>&, const WebCore::PublicKeyCredentialCreationOptions&, WebCore::RequestCompletionHandler&&) final;
-    void getAssertion(const WebCore::Frame&, const WebCore::SecurityOrigin&, const Vector<uint8_t>& hash, const WebCore::PublicKeyCredentialRequestOptions&, WebCore::MediationRequirement, WebCore::RequestCompletionHandler&&) final;
+    void getAssertion(const WebCore::Frame&, const WebCore::SecurityOrigin&, const Vector<uint8_t>& hash, const WebCore::PublicKeyCredentialRequestOptions&, WebCore::MediationRequirement, const std::pair<WebAuthn::Scope, std::optional<WebCore::SecurityOriginData>>&, WebCore::RequestCompletionHandler&&) final;
     void isConditionalMediationAvailable(WebCore::QueryCompletionHandler&&) final;
     void isUserVerifyingPlatformAuthenticatorAvailable(WebCore::QueryCompletionHandler&&) final;