Changeset 287116 in webkit

Timestamp:

Dec 15, 2021, 4:52:57 PM (4 years ago)

Author:

J Pascoe

Message:

[WebAuthn] Allow same-site, cross-origin iframe get()
​https://bugs.webkit.org/show_bug.cgi?id=234309
rdar://problem/86486313

Reviewed by Brent Fulgham.

Source/WebCore:

The Web Authentication level 2 specifies a feature policy to allow get calls in
cross-origin i-frames. This patch implements this feature policy partially. Only
same-site, cross-origin i-frames are supported instead. This is for tracking prevention
purposes. ​https://w3c.github.io/webauthn/#sctn-iframe-guidance

This patch also starts passing ClientDataJSON hashes to ASC to avoid the situation
where WebKit includes crossOrigin or other fields in ClientDataJSON that ASC is
unaware of when generating ClientDataJSON.

Added layout test cases for same-site, cross-origin get calls.

• Modules/webauthn/AuthenticatorCoordinator.cpp:

(WebCore::AuthenticatorCoordinator::create const):
(WebCore::doesHaveSameSiteAsAncestors):
(WebCore::AuthenticatorCoordinator::discoverFromExternalSource const):

• Modules/webauthn/WebAuthenticationUtils.cpp:

(WebCore::buildClientDataJson):

• Modules/webauthn/WebAuthenticationUtils.h:
• html/FeaturePolicy.cpp:

(WebCore::policyTypeName):
(WebCore::FeaturePolicy::parse):
(WebCore::FeaturePolicy::allows const):

• html/FeaturePolicy.h:

Source/WebKit:

The Web Authentication level 2 specifies a feature policy to allow get calls in
cross-origin i-frames. This patch implements this feature policy partially. Only
same-site, cross-origin i-frames are supported instead. This is for tracking prevention
purposes. ​https://w3c.github.io/webauthn/#sctn-iframe-guidance

This patch also starts passing ClientDataJSON hashes to ASC to avoid the situation
where WebKit includes crossOrigin or other fields in ClientDataJSON that ASC is
unaware of when generating ClientDataJSON.

Added layout test cases for same-site, cross-origin get calls.

• Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h:
• UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:

(produceClientDataJson):

• UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm:

(WebKit::configureRegistrationRequestContext):
(WebKit::configurationAssertionRequestContext):
(WebKit::WebAuthenticatorCoordinatorProxy::contextForRequest):

LayoutTests:

Add layout test for WebAuthn get assertions on cross-site, same-sites i-frames with
publickey-credentials-get feature policy.

• http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https-expected.txt:
• http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https.html:
• http/wpt/webauthn/resources/util.js:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https-expected.txt (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https.html (modified) (1 diff)
• LayoutTests/http/wpt/webauthn/resources/samesite-iframe.html (added)
• LayoutTests/http/wpt/webauthn/resources/util.js (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp (modified) (4 diffs)
• Source/WebCore/Modules/credentialmanagement/CredentialsContainer.h (modified) (2 diffs)
• Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp (modified) (7 diffs)
• Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.h (modified) (2 diffs)
• Source/WebCore/Modules/webauthn/WebAuthenticationConstants.h (modified) (1 diff)
• Source/WebCore/Modules/webauthn/WebAuthenticationUtils.cpp (modified) (2 diffs)
• Source/WebCore/Modules/webauthn/WebAuthenticationUtils.h (modified) (1 diff)
• Source/WebCore/html/FeaturePolicy.cpp (modified) (5 diffs)
• Source/WebCore/html/FeaturePolicy.h (modified) (2 diffs)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h (modified) (5 diffs)
• Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm (modified) (6 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-12-15  J Pascoe  <j_pascoe@apple.com>
+
+        [WebAuthn] Allow same-site, cross-origin iframe get()
+        https://bugs.webkit.org/show_bug.cgi?id=234309
+        rdar://problem/86486313
+
+        Reviewed by Brent Fulgham.
+
+        Add layout test for WebAuthn get assertions on cross-site, same-sites i-frames with
+        publickey-credentials-get feature policy.
+
+        * http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https-expected.txt:
+        * http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https.html:
+        * http/wpt/webauthn/resources/util.js:
+
 2021-12-15  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https-expected.txt

@@ -3 +3 @@
 PASS Tests that a frame that doesn't share the same origin with all its ancestors could not access the API.
 PASS Tests that a frame that doesn't share the same origin with all its ancestors could not access the API. 2
+PASS Tests that a frame that is same-site, cross-origin without publickey-credentials-get feature policy cannot use get().
+PASS Tests that a frame that is same-site, cross-origin with publickey-credentials-get feature policy can use get().
+PASS Tests that a frame that is cross-origin, NOT same-site  with publickey-credentials-get feature policy cannot use get().
 

trunk/LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https.html

@@ -23 +23 @@
             });
         }, "Tests that a frame that doesn't share the same origin with all its ancestors could not access the API. 2");
+
+        promise_test(t => {
+            return withSameSiteIframe("samesite-iframe.html").then((message) => {
+                assert_equals(message.data, "Throw NotAllowedError: The origin of the document is not the same as its ancestors.");
+            });
+        }, "Tests that a frame that is same-site, cross-origin without publickey-credentials-get feature policy cannot use get().");
+
+        promise_test(t => {
+            return withSameSiteIframe("samesite-iframe.html", "publickey-credentials-get").then((message) => {
+                assert_equals(message.data, "PASS!");
+            });
+        }, "Tests that a frame that is same-site, cross-origin with publickey-credentials-get feature policy can use get().");
+
+        promise_test(t => {
+            return withCrossOriginIframe("samesite-iframe.html", "publickey-credentials-get").then((message) => {
+                assert_equals(message.data, "Throw NotAllowedError: The origin of the document is not the same as its ancestors.");
+            });
+        }, "Tests that a frame that is cross-origin, NOT same-site  with publickey-credentials-get feature policy cannot use get().");
     </script>
 </body>

trunk/LayoutTests/http/wpt/webauthn/resources/util.js

@@ -305 +305 @@
 }
 
-function withCrossOriginIframe(resourceFile)
+function withCrossOriginIframe(resourceFile, allow = "")
 {
     return new Promise((resolve) => {
@@ -312 +312 @@
         });
         const frame = document.createElement("iframe");
+        frame.allow = allow;
         frame.src = get_host_info().HTTPS_REMOTE_ORIGIN + RESOURCES_DIR + resourceFile;
         document.body.appendChild(frame);
+    });
+}
+
+function withSameSiteIframe(resourceFile, allow = "")
+{
+    return new Promise((resolve) => {
+        waitForLoad().then((message) => {
+            resolve(message);
+       });
+       const frame = document.createElement("iframe");
+       const host = get_host_info();
+       frame.allow = allow;
+       frame.src = "https://" + host.ORIGINAL_HOST + ":" + host.HTTPS_PORT2 + RESOURCES_DIR + resourceFile;
+       document.body.appendChild(frame);
     });
 }

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-12-15  J Pascoe  <j_pascoe@apple.com>
+
+        [WebAuthn] Allow same-site, cross-origin iframe get()
+        https://bugs.webkit.org/show_bug.cgi?id=234309
+        rdar://problem/86486313
+
+        Reviewed by Brent Fulgham.
+
+        The Web Authentication level 2 specifies a feature policy to allow get calls in
+        cross-origin i-frames. This patch implements this feature policy partially. Only
+        same-site, cross-origin i-frames are supported instead. This is for tracking prevention
+        purposes. https://w3c.github.io/webauthn/#sctn-iframe-guidance
+
+        This patch also starts passing ClientDataJSON hashes to ASC to avoid the situation
+        where WebKit includes crossOrigin or other fields in ClientDataJSON that ASC is
+        unaware of when generating ClientDataJSON.
+
+        Added layout test cases for same-site, cross-origin get calls.
+
+        * Modules/webauthn/AuthenticatorCoordinator.cpp:
+        (WebCore::AuthenticatorCoordinator::create const):
+        (WebCore::doesHaveSameSiteAsAncestors):
+        (WebCore::AuthenticatorCoordinator::discoverFromExternalSource const):
+        * Modules/webauthn/WebAuthenticationUtils.cpp:
+        (WebCore::buildClientDataJson):
+        * Modules/webauthn/WebAuthenticationUtils.h:
+        * html/FeaturePolicy.cpp:
+        (WebCore::policyTypeName):
+        (WebCore::FeaturePolicy::parse):
+        (WebCore::FeaturePolicy::allows const):
+        * html/FeaturePolicy.h:
+
 2021-12-15  Brent Fulgham  <bfulgham@apple.com>
 

trunk/Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp

@@ -38 +38 @@
 #include "Page.h"
 #include "SecurityOrigin.h"
+#include "WebAuthenticationConstants.h"
 
 namespace WebCore {
@@ -46 +47 @@
 }
 
-bool CredentialsContainer::doesHaveSameOriginAsItsAncestors()
+WebAuthn::Scope CredentialsContainer::scope()
 {
-    // The following implements https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors
-    // as of 14 November 2017.
     if (!m_document)
-        return false;
+        return WebAuthn::Scope::CrossOrigin;
 
+    bool isSameOrigin = true;
+    bool isSameSite = true;
     auto& origin = m_document->securityOrigin();
+    auto& url = m_document->url();
     for (auto* document = m_document->parentDocument(); document; document = document->parentDocument()) {
+        if (!origin.isSameOriginDomain(document->securityOrigin()) && !areRegistrableDomainsEqual(url, document->url()))
+            isSameSite = false;
         if (!origin.isSameOriginAs(document->securityOrigin()))
-            return false;
+            isSameOrigin = false;
     }
-    return true;
+
+    if (isSameOrigin)
+        return WebAuthn::Scope::SameOrigin;
+    if (isSameSite)
+        return WebAuthn::Scope::SameSite;
+    return WebAuthn::Scope::CrossOrigin;
 }
 
@@ -90 +99 @@
     }
 
-    m_document->page()->authenticatorCoordinator().discoverFromExternalSource(*m_document, options.publicKey.value(), doesHaveSameOriginAsItsAncestors(), WTFMove(options.signal), WTFMove(promise));
+    m_document->page()->authenticatorCoordinator().discoverFromExternalSource(*m_document, options.publicKey.value(), scope(), WTFMove(options.signal), WTFMove(promise));
 }
 
@@ -125 +134 @@
     }
 
-    m_document->page()->authenticatorCoordinator().create(*m_document, options.publicKey.value(), doesHaveSameOriginAsItsAncestors(), WTFMove(options.signal), WTFMove(promise));
+    m_document->page()->authenticatorCoordinator().create(*m_document, options.publicKey.value(), scope(), WTFMove(options.signal), WTFMove(promise));
 }
 

trunk/Source/WebCore/Modules/credentialmanagement/CredentialsContainer.h

@@ -33 +33 @@
 #include <wtf/WeakPtr.h>
 
+namespace WebAuthn {
+enum class Scope;
+}
+
 namespace WebCore {
 
@@ -55 +59 @@
     CredentialsContainer(WeakPtr<Document>&&);
 
-    bool doesHaveSameOriginAsItsAncestors();
+    WebAuthn::Scope scope();
 
     WeakPtr<Document> m_document;

trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp

@@ -35 +35 @@
 #include "AuthenticatorResponseData.h"
 #include "Document.h"
+#include "FeaturePolicy.h"
 #include "JSBasicCredential.h"
 #include "JSDOMPromiseDeferred.h"
@@ -105 +106 @@
 }
 
-void AuthenticatorCoordinator::create(const Document& document, const PublicKeyCredentialCreationOptions& options, bool sameOriginWithAncestors, RefPtr<AbortSignal>&& abortSignal, CredentialPromise&& promise) const
+void AuthenticatorCoordinator::create(const Document& document, const PublicKeyCredentialCreationOptions& options, WebAuthn::Scope scope, RefPtr<AbortSignal>&& abortSignal, CredentialPromise&& promise) const
 {
     using namespace AuthenticatorCoordinatorInternal;
@@ -115 +116 @@
     // Step 1, 3, 16 are handled by the caller.
     // Step 2.
-    if (!sameOriginWithAncestors) {
+    if (scope != WebAuthn::Scope::SameOrigin) {
         promise.reject(Exception { NotAllowedError, "The origin of the document is not the same as its ancestors."_s });
         return;
@@ -149 +150 @@
 
     // Step 13-15.
-    auto clientDataJson = buildClientDataJson(ClientDataType::Create, options.challenge, callerOrigin);
+    auto clientDataJson = buildClientDataJson(ClientDataType::Create, options.challenge, callerOrigin, scope);
     auto clientDataJsonHash = buildClientDataJsonHash(clientDataJson);
 
@@ -176 +177 @@
 }
 
-void AuthenticatorCoordinator::discoverFromExternalSource(const Document& document, const PublicKeyCredentialRequestOptions& options, bool sameOriginWithAncestors, RefPtr<AbortSignal>&& abortSignal, CredentialPromise&& promise) const
+void AuthenticatorCoordinator::discoverFromExternalSource(const Document& document, const PublicKeyCredentialRequestOptions& options, WebAuthn::Scope scope, RefPtr<AbortSignal>&& abortSignal, CredentialPromise&& promise) const
 {
     using namespace AuthenticatorCoordinatorInternal;
@@ -186 +187 @@
     // Step 1, 3, 13 are handled by the caller.
     // Step 2.
-    if (!sameOriginWithAncestors) {
+    // This implements https://www.w3.org/TR/webauthn-2/#sctn-permissions-policy except only same-site, cross-origin is permitted.
+    if (scope != WebAuthn::Scope::SameOrigin && !(scope == WebAuthn::Scope::SameSite && isFeaturePolicyAllowedByDocumentAndAllOwners(FeaturePolicy::Type::PublickeyCredentialsGetRule, document, LogFeaturePolicyFailure::No))) {
         promise.reject(Exception { NotAllowedError, "The origin of the document is not the same as its ancestors."_s });
         return;
@@ -220 +222 @@
 
     // Step 10-12.
-    auto clientDataJson = buildClientDataJson(ClientDataType::Get, options.challenge, callerOrigin);
+    auto clientDataJson = buildClientDataJson(ClientDataType::Get, options.challenge, callerOrigin, scope);
     auto clientDataJsonHash = buildClientDataJsonHash(clientDataJson);
 

trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.h

@@ -32 +32 @@
 #include <wtf/Noncopyable.h>
 
+namespace WebAuthn {
+enum class Scope;
+}
+
 namespace WebCore {
 
@@ -54 +58 @@
 
     // The following methods implement static methods of PublicKeyCredential.
-    void create(const Document&, const PublicKeyCredentialCreationOptions&, bool sameOriginWithAncestors, RefPtr<AbortSignal>&&, CredentialPromise&&) const;
-    void discoverFromExternalSource(const Document&, const PublicKeyCredentialRequestOptions&, bool sameOriginWithAncestors, RefPtr<AbortSignal>&&, CredentialPromise&&) const;
+    void create(const Document&, const PublicKeyCredentialCreationOptions&, WebAuthn::Scope, RefPtr<AbortSignal>&&, CredentialPromise&&) const;
+    void discoverFromExternalSource(const Document&, const PublicKeyCredentialRequestOptions&, WebAuthn::Scope, RefPtr<AbortSignal>&&, CredentialPromise&&) const;
     void isUserVerifyingPlatformAuthenticatorAvailable(DOMPromiseDeferred<IDLBoolean>&&) const;
 

trunk/Source/WebCore/Modules/webauthn/WebAuthenticationConstants.h

@@ -81 +81 @@
 
 } // namespace WebCore
+
+namespace WebAuthn {
+
+enum class Scope {
+    CrossOrigin,
+    SameOrigin,
+    SameSite
+};
+
+} // namespace WebAuthn

trunk/Source/WebCore/Modules/webauthn/WebAuthenticationUtils.cpp

@@ -135 +135 @@
 
 // FIXME(181948): Add token binding ID.
-Ref<ArrayBuffer> buildClientDataJson(ClientDataType type, const BufferSource& challenge, const SecurityOrigin& origin)
+Ref<ArrayBuffer> buildClientDataJson(ClientDataType type, const BufferSource& challenge, const SecurityOrigin& origin, WebAuthn::Scope scope)
 {
     auto object = JSON::Object::create();
@@ -148 +148 @@
     object->setString("challenge"_s, base64URLEncodeToString(challenge.data(), challenge.length()));
     object->setString("origin"_s, origin.toRawString());
+    if (scope != WebAuthn::Scope::SameOrigin)
+        object->setBoolean("crossOrigin"_s, scope != WebAuthn::Scope::SameOrigin);
 
     auto utf8JSONString = object->toJSONString().utf8();

trunk/Source/WebCore/Modules/webauthn/WebAuthenticationUtils.h

@@ -53 +53 @@
 WEBCORE_EXPORT Vector<uint8_t> buildAttestationObject(Vector<uint8_t>&& authData, String&& format, cbor::CBORValue::MapValue&& statementMap, const AttestationConveyancePreference&);
 
-WEBCORE_EXPORT Ref<ArrayBuffer> buildClientDataJson(ClientDataType /*type*/, const BufferSource& challenge, const SecurityOrigin& /*origin*/);
+WEBCORE_EXPORT Ref<ArrayBuffer> buildClientDataJson(ClientDataType /*type*/, const BufferSource& challenge, const SecurityOrigin& /*origin*/, WebAuthn::Scope);
 
 WEBCORE_EXPORT Vector<uint8_t> buildClientDataJsonHash(const ArrayBuffer& clientDataJson);

trunk/Source/WebCore/html/FeaturePolicy.cpp

@@ -68 +68 @@
         return "Magnetometer";
 #endif
+#if ENABLE(WEB_AUTHN)
+    case FeaturePolicy::Type::PublickeyCredentialsGetRule:
+        return "PublickeyCredentialsGet";
+#endif
 #if ENABLE(WEBXR)
     case FeaturePolicy::Type::XRSpatialTracking:
@@ -185 +189 @@
     bool isMagnetometerInitialized = false;
 #endif
+#if ENABLE(WEB_AUTHN)
+    bool isPublickeyCredentialsGetInitialized = false;
+#endif
 #if ENABLE(WEBXR)
     bool isXRSpatialTrackingInitialized = false;
@@ -249 +256 @@
             isMagnetometerInitialized = true;
             updateList(document, policy.m_magnetometerRule, item.substring(13));
+            continue;
+        }
+#endif
+#if ENABLE(WEB_AUTHN)
+        if (item.startsWith("publickey-credentials-get")) {
+            isPublickeyCredentialsGetInitialized = true;
+            updateList(document, policy.m_publickeyCredentialsGetRule, item.substring(26));
             continue;
         }
@@ -283 +297 @@
     if (!isMagnetometerInitialized)
         policy.m_magnetometerRule.allowedList.add(document.securityOrigin().data());
+#endif
+#if ENABLE(WEB_AUTHN)
+    if (!isPublickeyCredentialsGetInitialized)
+        policy.m_publickeyCredentialsGetRule.allowedList.add(document.securityOrigin().data());
 #endif
 #if ENABLE(WEBXR)
@@ -339 +357 @@
         return isAllowedByFeaturePolicy(m_magnetometerRule, origin);
 #endif
+#if ENABLE(WEB_AUTHN)
+    case Type::PublickeyCredentialsGetRule:
+        return isAllowedByFeaturePolicy(m_publickeyCredentialsGetRule, origin);
+#endif
 #if ENABLE(WEBXR)
     case Type::XRSpatialTracking:

trunk/Source/WebCore/html/FeaturePolicy.h

@@ -54 +54 @@
         Magnetometer,
 #endif
+#if ENABLE(WEB_AUTHN)
+        PublickeyCredentialsGetRule,
+#endif
 #if ENABLE(WEBXR)
         XRSpatialTracking,
@@ -82 +85 @@
     AllowRule m_magnetometerRule;
 #endif
+#if ENABLE(WEB_AUTHN)
+    AllowRule m_publickeyCredentialsGetRule;
+#endif
 #if ENABLE(WEBXR)
     AllowRule m_xrSpatialTrackingRule;

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2021-12-15  J Pascoe  <j_pascoe@apple.com>
+
+        [WebAuthn] Allow same-site, cross-origin iframe get()
+        https://bugs.webkit.org/show_bug.cgi?id=234309
+        rdar://problem/86486313
+
+        Reviewed by Brent Fulgham.
+
+        The Web Authentication level 2 specifies a feature policy to allow get calls in
+        cross-origin i-frames. This patch implements this feature policy partially. Only
+        same-site, cross-origin i-frames are supported instead. This is for tracking prevention
+        purposes. https://w3c.github.io/webauthn/#sctn-iframe-guidance
+
+        This patch also starts passing ClientDataJSON hashes to ASC to avoid the situation
+        where WebKit includes crossOrigin or other fields in ClientDataJSON that ASC is
+        unaware of when generating ClientDataJSON.
+
+        Added layout test cases for same-site, cross-origin get calls.
+
+        * Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h:
+        * UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm:
+        (produceClientDataJson):
+        * UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm:
+        (WebKit::configureRegistrationRequestContext):
+        (WebKit::configurationAssertionRequestContext):
+        (WebKit::WebAuthenticatorCoordinatorProxy::contextForRequest):
+
 2021-12-15  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h

@@ -26 +26 @@
 #pragma once
 
-#if HAVE(UNIFIED_ASC_AUTH_UI)
-#import <AuthenticationServicesCore/AuthenticationServicesCore.h>
-#import <AuthenticationServicesCore/AuthenticationServicesCorePrivate.h>
-#elif HAVE(ASC_AUTH_UI)
+#if HAVE(ASC_AUTH_UI) || HAVE(UNIFIED_ASC_AUTH_UI)
 
 NS_ASSUME_NONNULL_BEGIN
@@ -72 +69 @@
 @end
 
+@interface ASCAuthorizationRemotePresenter : NSObject
+
+#if TARGET_OS_OSX
+- (void)presentWithWindow:(NSWindow *)window daemonEndpoint:(NSXPCListenerEndpoint *)daemonEndpoint completionHandler:(void (^)(id <ASCCredentialProtocol>, NSError *))completionHandler;
+#endif
+
+@end
+
 @class ASCCredentialRequestContext;
 
@@ -106 +111 @@
 };
 
+@class ASCPublicKeyCredentialDescriptor;
+
+@interface ASCPublicKeyCredentialDescriptor : NSObject <NSSecureCoding>
+
+- (instancetype)initWithCredentialID:(NSData *)credentialID transports:(nullable NSArray<NSString *> *)allowedTransports;
+
+@property (nonatomic, readonly) NSData *credentialID;
+@property (nonatomic, nullable, readonly) NSArray<NSString *> *transports;
+
+@end
+
+@class ASCPublicKeyCredentialDescriptor;
+
+typedef NS_ENUM(NSUInteger, ASCPublicKeyCredentialKind) {
+    ASCPublicKeyCredentialKindPlatform = 1,
+    ASCPublicKeyCredentialKindSecurityKey,
+};
+
+@interface ASCPublicKeyCredentialAssertionOptions : NSObject <NSSecureCoding>
+
+- (instancetype)initWithKind:(ASCPublicKeyCredentialKind)credentialKind relyingPartyIdentifier:(NSString *)relyingPartyIdentifier challenge:(NSData *)challenge userVerificationPreference:(nullable NSString *)userVerificationPreference allowedCredentials:(nullable NSArray<ASCPublicKeyCredentialDescriptor *> *)allowedCredentials;
+
+- (instancetype)initWithKind:(ASCPublicKeyCredentialKind)credentialKind relyingPartyIdentifier:(NSString *)relyingPartyIdentifier clientDataHash:(NSData *)clientDataHash userVerificationPreference:(nullable NSString *)userVerificationPreference allowedCredentials:(nullable NSArray<ASCPublicKeyCredentialDescriptor *> *)allowedCredentials;
+
+@property (nonatomic, readonly) ASCPublicKeyCredentialKind credentialKind;
+@property (nonatomic, copy, readonly) NSString *relyingPartyIdentifier;
+@property (nonatomic, nullable, copy, readonly) NSData *challenge;
+// If clientDataHash is null, then gets generated from challenge and relyingPartyIdentifier.
+@property (nonatomic, nullable, copy) NSData *clientDataHash;
+@property (nonatomic, nullable, readonly, copy) NSString *userVerificationPreference;
+
+@property (nonatomic, nullable, readonly, copy) NSArray<ASCPublicKeyCredentialDescriptor *> *allowedCredentials;
+
+@end
+
+
+typedef NS_OPTIONS(NSUInteger, ASCCredentialRequestTypes) {
+    ASCCredentialRequestTypeNone = 0,
+    ASCCredentialRequestTypePassword = 1 << 0,
+    ASCCredentialRequestTypeAppleID = 1 << 1,
+    ASCCredentialRequestTypePlatformPublicKeyRegistration = 1 << 2,
+    ASCCredentialRequestTypePlatformPublicKeyAssertion = 1 << 3,
+    ASCCredentialRequestTypeSecurityKeyPublicKeyRegistration = 1 << 4,
+    ASCCredentialRequestTypeSecurityKeyPublicKeyAssertion = 1 << 5,
+};
+
 @interface ASCPublicKeyCredentialCreationOptions : NSObject <NSSecureCoding>
 
-@property (nonatomic, copy) NSData *challenge;
+@property (nonatomic, nullable, copy) NSData *challenge;
+@property (nonatomic, nullable, copy) NSData *clientDataHash;
 @property (nonatomic, copy) NSString *relyingPartyIdentifier;
 @property (nonatomic, copy) NSString *userName;
@@ -114 +166 @@
 @property (nonatomic, copy) NSString *userDisplayName;
 @property (nonatomic, copy) NSArray<NSNumber *> *supportedAlgorithmIdentifiers;
+@property (nonatomic, nullable, copy) NSString *userVerificationPreference;
 
 @property (nonatomic) BOOL shouldRequireResidentKey;
+@property (nonatomic, copy) NSArray<ASCPublicKeyCredentialDescriptor *> *excludedCredentials;
 
 @end
@@ -150 +204 @@
 @end
 
+@interface ASCCredentialRequestContext : NSObject <NSSecureCoding>
+
+- (instancetype)init NS_UNAVAILABLE;
++ (instancetype)new NS_UNAVAILABLE;
+
+- (instancetype)initWithRequestTypes:(ASCCredentialRequestTypes)requestTypes;
+
+@property (nonatomic, readonly) NSUInteger requestTypes;
+@property (nonatomic, nullable, copy) NSString *relyingPartyIdentifier;
+
+@property (nonatomic, nullable, copy) ASCPublicKeyCredentialCreationOptions *platformKeyCredentialCreationOptions;
+@property (nonatomic, nullable, copy) ASCPublicKeyCredentialCreationOptions *securityKeyCredentialCreationOptions;
+
+@property (nonatomic, nullable, copy) ASCPublicKeyCredentialAssertionOptions *platformKeyCredentialAssertionOptions;
+@property (nonatomic, nullable, copy) ASCPublicKeyCredentialAssertionOptions *securityKeyCredentialAssertionOptions;
+
+@end
+
 @protocol ASCCredentialProtocol <NSObject, NSSecureCoding>
+
+@end
+
+@class _WKAuthenticatorAttestationResponse;
+
+@interface ASCPlatformPublicKeyCredentialRegistration : NSObject <ASCCredentialProtocol>
+
+- (instancetype)initWithRelyingPartyIdentifier:(NSString *)relyingPartyIdentifier attestationObject:(NSData *)attestationObject rawClientDataJSON:(NSData *)rawClientDataJSON credentialID:(NSData *)credentialID;
+
+- (instancetype)initWithRelyingPartyIdentifier:(NSString *)relyingPartyIdentifier authenticatorAttestationResponse:(_WKAuthenticatorAttestationResponse *)attestationResponse rawClientDataJSON:(NSData *)rawClientDataJSON;
+
+@property (nonatomic, copy, readonly) NSData *credentialID;
+@property (nonatomic, copy, readonly) NSString *relyingPartyIdentifier;
+@property (nonatomic, copy, readonly) NSData *attestationObject;
+@property (nonatomic, copy, readonly) NSData *rawClientDataJSON;
+
++ (instancetype)new NS_UNAVAILABLE;
+- (instancetype)init NS_UNAVAILABLE;
+
+@end
+
+@interface ASCSecurityKeyPublicKeyCredentialRegistration : NSObject <ASCCredentialProtocol>
+
+- (instancetype)initWithRelyingPartyIdentifier:(NSString *)relyingPartyIdentifier authenticatorAttestationResponse:(_WKAuthenticatorAttestationResponse *)attestationResponse;
+
+@property (nonatomic, copy, readonly) NSData *credentialID;
+@property (nonatomic, copy, readonly) NSData *rawClientDataJSON;
+@property (nonatomic, copy, readonly) NSString *relyingPartyIdentifier;
+@property (nonatomic, copy, readonly) NSData *attestationObject;
+
+@end
+
+@class _WKAuthenticatorAssertionResponse;
+
+@interface ASCPlatformPublicKeyCredentialAssertion : NSObject <ASCCredentialProtocol>
+
+- (instancetype)initWithRelyingPartyIdentifier:(NSString *)relyingPartyIdentifier authenticatorAssertionResponse:(_WKAuthenticatorAssertionResponse *)assertionResponse;
+
+@property (nonatomic, copy, readonly) NSData *credentialID;
+@property (nonatomic, copy, readonly) NSData *rawClientDataJSON;
+@property (nonatomic, copy, readonly) NSString *relyingPartyIdentifier;
+@property (nonatomic, copy, readonly) NSData *authenticatorData;
+@property (nonatomic, copy, readonly) NSData *signature;
+@property (nonatomic, copy, readonly, nullable) NSData *userHandle;
+
+@end
+
+@interface ASCSecurityKeyPublicKeyCredentialAssertion : NSObject <ASCCredentialProtocol>
+
+- (instancetype)initWithRelyingPartyIdentifier:(NSString *)relyingPartyIdentifier authenticatorAssertionResponse:(_WKAuthenticatorAssertionResponse *)assertionResponse;
+
+@property (nonatomic, copy, readonly) NSData *credentialID;
+@property (nonatomic, copy, readonly) NSString *relyingPartyIdentifier;
+@property (nonatomic, copy, readonly) NSData *authenticatorData;
+@property (nonatomic, copy, readonly) NSData *signature;
+@property (nonatomic, copy, readonly, nullable) NSData *userHandle;
+@property (nonatomic, copy, readonly) NSData *rawClientDataJSON;
+
+@end
+
+@protocol ASCAgentProtocol <NSObject>
+
+#if TARGET_OS_IOS && !TARGET_OS_MACCATALYST
+- (void)performAuthorizationRequestsForContext:(ASCCredentialRequestContext *)context withCompletionHandler:(void (^)(id <ASCCredentialProtocol> _Nullable credential, NSError * _Nullable error))completionHandler;
+#elif TARGET_OS_OSX || TARGET_OS_MACCATALYST
+- (void)performAuthorizationRequestsForContext:(ASCCredentialRequestContext *)context withClearanceHandler:(void (^)(NSXPCListenerEndpoint * _Nullable daemonEndpoint, NSError * _Nullable error))clearanceHandler;
+
+- (void)beginAuthorizationForApplicationIdentifier:(NSString *)applicationIdentifier fromEndpoint:(NSXPCListenerEndpoint *)listenerEndpoint;
+
+- (void)userSelectedLoginChoice:(id <ASCLoginChoiceProtocol>)loginChoice authenticatedContext:(LAContext *)context completionHandler:(void (^)(id <ASCCredentialProtocol> _Nullable, NSError * _Nullable))completionHandler;
+
+- (void)requestCompletedWithCredential:(nullable id<ASCCredentialProtocol>)credential error:(nullable NSError *)error;
+#endif
+
+@end
+
+@interface ASCAgentProxy : NSObject <ASCAgentProtocol>
+
+- (instancetype)init;
+
+#if TARGET_OS_OSX
+- (instancetype)initWithEndpoint:(NSXPCListenerEndpoint *)endpoint;
+#endif
+
+- (void)invalidate;
+
+- (void)reconnectIfNecessary;
 
 @end

trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm

@@ -88 +88 @@
     auto securityOrigin = WebCore::SecurityOrigin::createFromString(origin);
 
-    auto clientDataJson = buildClientDataJson(clientDataType, WebCore::BufferSource(challengeBuffer), securityOrigin);
+    auto clientDataJson = buildClientDataJson(clientDataType, WebCore::BufferSource(challengeBuffer), securityOrigin, WebAuthn::Scope::SameOrigin);
     return adoptNS([[NSData alloc] initWithBytes:clientDataJson->data() length:clientDataJson->byteLength()]);
 }

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm

@@ -49 +49 @@
 {
     return ArrayBuffer::create(reinterpret_cast<const uint8_t*>(data.bytes), data.length);
+}
+
+static inline RetainPtr<NSData> toNSData(const Vector<uint8_t>& data)
+{
+    return adoptNS([[NSData alloc] initWithBytes:data.data() length:data.size()]);
 }
 
@@ -146 +151 @@
 }
 
-static RetainPtr<ASCCredentialRequestContext> configureRegistrationRequestContext(const PublicKeyCredentialCreationOptions& options)
+static RetainPtr<ASCCredentialRequestContext> configureRegistrationRequestContext(const PublicKeyCredentialCreationOptions& options, Vector<uint8_t> hash)
 {
     ASCCredentialRequestTypes requestTypes = ASCCredentialRequestTypePlatformPublicKeyRegistration | ASCCredentialRequestTypeSecurityKeyPublicKeyRegistration;
@@ -170 +175 @@
     auto credentialCreationOptions = adoptNS([allocASCPublicKeyCredentialCreationOptionsInstance() init]);
 
-    [credentialCreationOptions setChallenge:WebCore::toNSData(options.challenge).get()];
+    if ([credentialCreationOptions respondsToSelector:@selector(setClientDataHash:)])
+        [credentialCreationOptions setClientDataHash:toNSData(hash).get()];
+    else
+        [credentialCreationOptions setChallenge:WebCore::toNSData(options.challenge).get()];
     [credentialCreationOptions setRelyingPartyIdentifier:options.rp.id];
     [credentialCreationOptions setUserName:options.user.name];
@@ -203 +211 @@
 }
 
-static RetainPtr<ASCCredentialRequestContext> configurationAssertionRequestContext(const PublicKeyCredentialRequestOptions& options)
+static RetainPtr<ASCCredentialRequestContext> configurationAssertionRequestContext(const PublicKeyCredentialRequestOptions& options, Vector<uint8_t> hash)
 {
     ASCCredentialRequestTypes requestTypes = ASCCredentialRequestTypePlatformPublicKeyAssertion | ASCCredentialRequestTypeSecurityKeyPublicKeyAssertion;
@@ -228 +236 @@
     [requestContext setRelyingPartyIdentifier:options.rpId];
 
-    auto challenge = WebCore::toNSData(options.challenge);
-
-    if (requestTypes & ASCCredentialRequestTypePlatformPublicKeyAssertion)
-        [requestContext setPlatformKeyCredentialAssertionOptions:[allocASCPublicKeyCredentialAssertionOptionsInstance() initWithKind:ASCPublicKeyCredentialKindPlatform relyingPartyIdentifier:options.rpId challenge:challenge.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()]];
-
-    if (requestTypes & ASCCredentialRequestTypeSecurityKeyPublicKeyAssertion)
-        [requestContext setSecurityKeyCredentialAssertionOptions:[allocASCPublicKeyCredentialAssertionOptionsInstance() initWithKind:ASCPublicKeyCredentialKindSecurityKey relyingPartyIdentifier:options.rpId challenge:challenge.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()]];
+    if (requestTypes & ASCCredentialRequestTypePlatformPublicKeyAssertion) {
+        auto assertionOptions = adoptNS(allocASCPublicKeyCredentialAssertionOptionsInstance());
+        if ([assertionOptions respondsToSelector:@selector(initWithKind:relyingPartyIdentifier:clientDataHash:userVerificationPreference:allowedCredentials:)]) {
+            auto nsHash = toNSData(hash);
+            [assertionOptions initWithKind:ASCPublicKeyCredentialKindPlatform relyingPartyIdentifier:options.rpId clientDataHash:nsHash.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
+        } else {
+            auto challenge = WebCore::toNSData(options.challenge);
+            [assertionOptions initWithKind:ASCPublicKeyCredentialKindPlatform relyingPartyIdentifier:options.rpId challenge:challenge.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
+        }
+
+        [requestContext setPlatformKeyCredentialAssertionOptions:assertionOptions.get()];
+    }
+
+    if (requestTypes & ASCCredentialRequestTypeSecurityKeyPublicKeyAssertion) {
+        auto assertionOptions = adoptNS(allocASCPublicKeyCredentialAssertionOptionsInstance());
+        if ([assertionOptions respondsToSelector:@selector(initWithKind:relyingPartyIdentifier:clientDataHash:userVerificationPreference:allowedCredentials:)]) {
+            auto nsHash = toNSData(hash);
+            [assertionOptions initWithKind:ASCPublicKeyCredentialKindSecurityKey relyingPartyIdentifier:options.rpId clientDataHash:nsHash.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
+        } else {
+            auto challenge = WebCore::toNSData(options.challenge);
+            [assertionOptions initWithKind:ASCPublicKeyCredentialKindSecurityKey relyingPartyIdentifier:options.rpId challenge:challenge.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
+        }
+        [requestContext setSecurityKeyCredentialAssertionOptions:assertionOptions.get()];
+    }
 
     return requestContext;
@@ -243 +268 @@
     RetainPtr<ASCCredentialRequestContext> result;
     WTF::switchOn(requestData.options, [&](const PublicKeyCredentialCreationOptions& options) {
-        result = configureRegistrationRequestContext(options);
+        result = configureRegistrationRequestContext(options, requestData.hash);
     }, [&](const PublicKeyCredentialRequestOptions& options) {
-        result = configurationAssertionRequestContext(options);
+        result = configurationAssertionRequestContext(options, requestData.hash);
     });
     return result;