Changeset 244879 in webkit

Timestamp:

May 2, 2019 12:15:08 PM (5 years ago)

Author:

jiewen_tan@apple.com

Message:

[WebAuthN] Add a quirk for google.com when processing AppID extension
​https://bugs.webkit.org/show_bug.cgi?id=196046
<rdar://problem/49088479>

Reviewed by Brent Fulgham.

Relaxing the same site restriction on AppID while in google.com and any
of its subdomains to allow two www.gstatic.com AppIDs to slip in.

Covered by manual tests on Google.com.

• Modules/webauthn/AuthenticatorCoordinator.cpp:

(WebCore::AuthenticatorCoordinatorInternal::needsAppIdQuirks):
(WebCore::AuthenticatorCoordinatorInternal::processAppIdExtension):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• Modules/webauthn/AuthenticatorCoordinator.cpp (modified) (2 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-05-02  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Add a quirk for google.com when processing AppID extension
+        https://bugs.webkit.org/show_bug.cgi?id=196046
+        <rdar://problem/49088479>
+
+        Reviewed by Brent Fulgham.
+
+        Relaxing the same site restriction on AppID while in google.com and any
+        of its subdomains to allow two www.gstatic.com AppIDs to slip in.
+
+        Covered by manual tests on Google.com.
+
+        * Modules/webauthn/AuthenticatorCoordinator.cpp:
+        (WebCore::AuthenticatorCoordinatorInternal::needsAppIdQuirks):
+        (WebCore::AuthenticatorCoordinatorInternal::processAppIdExtension):
+
 2019-05-02  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp

@@ -81 +81 @@
 }
 
+static bool needsAppIdQuirks(const String& host, const String& appId)
+{
+    // FIXME(197524): Remove this quirk in 2023. As an early adopter of U2F features, Google has a large number of
+    // existing device registrations that authenticate 'google.com' against 'gstatic.com'. Firefox and other browsers
+    // have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to
+    // allow existing Google users to seamlessly transition to proper WebAuthN behavior.
+    if (equalLettersIgnoringASCIICase(host, "google.com") || host.endsWithIgnoringASCIICase(".google.com"))
+        return (appId == "https://www.gstatic.com/securitykey/origins.json"_s) || (appId == "https://www.gstatic.com/securitykey/a/google.com/origins.json"_s);
+    return false;
+}
+
 // The following roughly implements Step 1-3 of the spec to avoid the complexity of making unnecessary network requests:
 // https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid
@@ -97 +108 @@
     // Step 3. Relax the comparison to same site.
     URL appIdURL(URL(), appId);
-    if (!appIdURL.isValid() || facetId.protocol() != appIdURL.protocol() || RegistrableDomain(appIdURL) != RegistrableDomain::uncheckedCreateFromHost(facetId.host()))
+    if (!appIdURL.isValid() || facetId.protocol() != appIdURL.protocol() || (RegistrableDomain(appIdURL) != RegistrableDomain::uncheckedCreateFromHost(facetId.host()) && !needsAppIdQuirks(facetId.host(), appId)))
         return String();
     return appId;