Closed Bug 1380421 Opened 8 years ago Closed 8 years ago

Regression: Tolerate origin RP IDs in WebAuthn

Categories

(Core :: DOM: Device Interfaces, enhancement, P1)

Product:
Core
Component:
DOM: Device Interfaces
Version:
55 Branch
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla57
Tracking Flags:
Tracking Status
firefox56 --- fixed

People

(Reporter: jcj, Assigned: jcj)

References

(Blocks 1 open bug)

Details

(Whiteboard: [webauthn] [webauthn-interop])

Attachments

(2 files)

Bug 1380421 - Handle URIs for RP IDs (1/2)
59 bytes, text/x-review-board-request
keeler
: review+
Details
Bug 1380421 - Update test to handle origin RP IDs, too (2/2)
59 bytes, text/x-review-board-request
keeler
: review+
Details
A recent fixup commit [1] changed "RP ID" fields in WebAuthn to be domain strings rather than origins, which matches the current editor's draft of Web Authentication. Unfortunately, this is contrary to the interop WD-05, which requires they be origins. We should be tolerant of origins for now, and file a follow-on to remove when we get past initial interop. [1] https://hg.mozilla.org/mozilla-central/rev/e173fd86d931
Comment on attachment 8886658 [details] Bug 1380421 - Handle URIs for RP IDs (1/2) https://reviewboard.mozilla.org/r/157436/#review162608 LGTM - just a couple of comments. ::: commit-message-09a42:8 (Diff revision 1) > +A recent fixup commit [1] changed "RP ID" fields in WebAuthn to be domain > +strings rather than origins, which matches the current editor's draft of > +Web Authentication. Unfortunately, this is contrary to the interop WD-05, > +which requires they be origins. > + > +We should be tolerant of origins for now, and file a follow-on to remove when Let's file it and reference it here. ::: dom/webauthn/WebAuthnManager.cpp:180 (Diff revision 1) > return NS_ERROR_FAILURE; > } > > - if (!html->IsRegistrableDomainSuffixOfOrEqualTo(aInputRpId, originHost)) { > + // WD-05 origin compatibility support - aInputRpId might be a URI/origin, > + // so catch that (Bug 1380421) > + nsAutoString inputRpId = nsAutoString(aInputRpId); Seems like this would be simpler as `nsAutoString inputRpId(aInputRpId);` ? ::: dom/webauthn/WebAuthnManager.cpp:182 (Diff revision 1) > > - if (!html->IsRegistrableDomainSuffixOfOrEqualTo(aInputRpId, originHost)) { > + // WD-05 origin compatibility support - aInputRpId might be a URI/origin, > + // so catch that (Bug 1380421) > + nsAutoString inputRpId = nsAutoString(aInputRpId); > + nsCOMPtr<nsIURI> inputUri; > + if (!NS_FAILED(NS_NewURI(getter_AddRefs(inputUri), aInputRpId, nullptr, nullptr))) { NS_SUCCEEDED? Also, the `nullptr` arguments have defaults (of `nullptr`), so we probably don't have to even specify them.
Attachment #8886658 - Flags: review?(dkeeler) → review+
See Also: → 1381126
Comment on attachment 8886659 [details] Bug 1380421 - Update test to handle origin RP IDs, too (2/2) https://reviewboard.mozilla.org/r/157438/#review162612 Looks good - just a few questions. ::: dom/webauthn/tests/test_webauthn_sameorigin.html:148 (Diff revision 1) > return credm.create({publicKey: makeCredentialOptions}) > .then(arrivingHereIsBad) > .catch(expectSecurityError); > }, > - function () { > - // Test basic good call > + function() { > + // Test basic good call but using an origin (Bug 1380421) Seems like this would make more sense to go right before the new testcase at the end. ::: dom/webauthn/tests/test_webauthn_sameorigin.html:153 (Diff revision 1) > - let publicKeyCredentialRequestOptions = { > - challenge: chall, > - rpId: document.domain, > + let rp = {id: window.origin}; > + let makeCredentialOptions = { > + rp: rp, user: user, challenge: chall, parameters: [param] > - allowList: [gTrackedCredential] > }; > - return credm.get({publicKey: publicKeyCredentialRequestOptions}) > + return credm.create({publicKey: makeCredentialOptions}) Do we not still want this `credentials.get` testcase? ::: dom/webauthn/tests/test_webauthn_sameorigin.html:235 (Diff revision 1) > return credm.get({publicKey: publicKeyCredentialRequestOptions}) > .then(arrivingHereIsBad) > .catch(expectSecurityError); > }, > function () { > - SimpleTest.finish(); > + // Test basic good call but using an origin (Bug 1380421) Is the `SimpleTest.finish()` call not still needed?
Attachment #8886659 - Flags: review?(dkeeler) → review+
Comment on attachment 8886659 [details] Bug 1380421 - Update test to handle origin RP IDs, too (2/2) https://reviewboard.mozilla.org/r/157438/#review162612 > Seems like this would make more sense to go right before the new testcase at the end. Agreed, and I put comments around it that they should go away with Bug 1381126. > Do we not still want this `credentials.get` testcase? Oh, geez. Good catch, not sure how I whacked that. I put it back. > Is the `SimpleTest.finish()` call not still needed? It's not, it's actually a dupe call and it prompts a console warning.
Comment on attachment 8886658 [details] Bug 1380421 - Handle URIs for RP IDs (1/2) https://reviewboard.mozilla.org/r/157436/#review162608 Thanks for the reviews! > Let's file it and reference it here. Got it. > Seems like this would be simpler as `nsAutoString inputRpId(aInputRpId);` ? Heh, heh... *sheepish* Of course. Thanks :) > NS_SUCCEEDED? > Also, the `nullptr` arguments have defaults (of `nullptr`), so we probably don't have to even specify them. When all you've got is `NS_FAILED`, everything looks like an `nsresult`. No, wait, that doesn't make sense. Anyway, yeah, hehe, I forgot about `NS_SUCCEEDED`. Fixed. And good catch about the default args. That's nice and cleaner. :thumbsup:
Try run looks good, marking checkin-needed. Thanks for the reviews!
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/15436a89237a Handle URIs for RP IDs (1/2) r=keeler https://hg.mozilla.org/integration/autoland/rev/03db2b65e5a6 Update test to handle origin RP IDs, too (2/2) r=keeler
Keywords: checkin-needed
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: