Closed Bug 1381126 Opened 2 years ago Closed 2 years ago

WebAuthn: Strictly require domain strings as RP IDs

Categories

(Core :: DOM: Device Interfaces, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
mozilla57
Tracking Status
firefox57 --- fixed

People

(Reporter: jcj, Assigned: jcj)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [webauthn] [webauthn-interop])

Attachments

(1 file)

Bug 1380421 permits WebAuthn to use RP IDs which are Origins, while the WD-06 and later drafts of the spec require RP IDs to be Domain Strings.

Once we're past the WD-05 interop period, we should be strict that all RP IDs be Domain Strings.
Blocks: 1384776
It's been agreed that all interop participants will actually use only Domain Strings, not Origins, so we need to do this bug before the interop day after-all.
Assignee: nobody → jjones
Status: NEW → ASSIGNED
Priority: P3 → P1
QA Contact: mwobensmith
Whiteboard: [webauthn] [webauthn-interop]
Comment on attachment 8906665 [details]
Bug 1381126: Resume requiring WebAuthn RP ID to be a Domain String

https://reviewboard.mozilla.org/r/178378/#review183442

LGTM.

::: dom/webauthn/tests/test_webauthn_loopback.html:73
(Diff revision 1)
>  
>      return webAuthnDecodeCBORAttestation(aCredInfo.response.attestationObject.buffer)
>      .then(function(decodedResult) {
> +      // Make sure the RP ID hash matches what we calculate.
> +      return crypto.subtle.digest("SHA-256", string2buffer(document.domain))
> +      .then(function(calculatedHash){

nit: space before '{'

::: dom/webauthn/tests/test_webauthn_loopback.html:74
(Diff revision 1)
>      return webAuthnDecodeCBORAttestation(aCredInfo.response.attestationObject.buffer)
>      .then(function(decodedResult) {
> +      // Make sure the RP ID hash matches what we calculate.
> +      return crypto.subtle.digest("SHA-256", string2buffer(document.domain))
> +      .then(function(calculatedHash){
> +        is(bytesToBase64(new Uint8Array(calculatedHash)), bytesToBase64(decodedResult.rpIdHash), "Calculated RP ID hash must match what the browser derived.");

nit: break up long line
Attachment #8906665 - Flags: review?(dkeeler) → review+
Comment on attachment 8906665 [details]
Bug 1381126: Resume requiring WebAuthn RP ID to be a Domain String

https://reviewboard.mozilla.org/r/178378/#review183442

Thanks for the review!
Keywords: checkin-needed
Version: 55 Branch → Trunk
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/9584975d84e0
Resume requiring WebAuthn RP ID to be a Domain String r=keeler
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/9584975d84e0
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in before you can comment on or make changes to this bug.