Changeset 244879 in webkit
- Timestamp:
- May 2, 2019 12:15:08 PM (5 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r244876 r244879 1 2019-05-02 Jiewen Tan <jiewen_tan@apple.com> 2 3 [WebAuthN] Add a quirk for google.com when processing AppID extension 4 https://bugs.webkit.org/show_bug.cgi?id=196046 5 <rdar://problem/49088479> 6 7 Reviewed by Brent Fulgham. 8 9 Relaxing the same site restriction on AppID while in google.com and any 10 of its subdomains to allow two www.gstatic.com AppIDs to slip in. 11 12 Covered by manual tests on Google.com. 13 14 * Modules/webauthn/AuthenticatorCoordinator.cpp: 15 (WebCore::AuthenticatorCoordinatorInternal::needsAppIdQuirks): 16 (WebCore::AuthenticatorCoordinatorInternal::processAppIdExtension): 17 1 18 2019-05-02 Ross Kirsling <ross.kirsling@sony.com> 2 19 -
trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp
r244863 r244879 81 81 } 82 82 83 static bool needsAppIdQuirks(const String& host, const String& appId) 84 { 85 // FIXME(197524): Remove this quirk in 2023. As an early adopter of U2F features, Google has a large number of 86 // existing device registrations that authenticate 'google.com' against 'gstatic.com'. Firefox and other browsers 87 // have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to 88 // allow existing Google users to seamlessly transition to proper WebAuthN behavior. 89 if (equalLettersIgnoringASCIICase(host, "google.com") || host.endsWithIgnoringASCIICase(".google.com")) 90 return (appId == "https://www.gstatic.com/securitykey/origins.json"_s) || (appId == "https://www.gstatic.com/securitykey/a/google.com/origins.json"_s); 91 return false; 92 } 93 83 94 // The following roughly implements Step 1-3 of the spec to avoid the complexity of making unnecessary network requests: 84 95 // https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid … … 97 108 // Step 3. Relax the comparison to same site. 98 109 URL appIdURL(URL(), appId); 99 if (!appIdURL.isValid() || facetId.protocol() != appIdURL.protocol() || RegistrableDomain(appIdURL) != RegistrableDomain::uncheckedCreateFromHost(facetId.host()))110 if (!appIdURL.isValid() || facetId.protocol() != appIdURL.protocol() || (RegistrableDomain(appIdURL) != RegistrableDomain::uncheckedCreateFromHost(facetId.host()) && !needsAppIdQuirks(facetId.host(), appId))) 100 111 return String(); 101 112 return appId;
Note: See TracChangeset
for help on using the changeset viewer.