Closed Bug 1382893 Opened 7 years ago Closed 6 years ago

WebAuthn RP-IDs should enforce HTTPS and be permissive for alternative TCP ports

Tracking

()

Status:

RESOLVED WONTFIX

Milestone:

Future

Tracking Flags:

Tracking

Status

firefox57

---

disabled

firefox58

---

fix-optional

People

(Reporter: jcj, Assigned: jcj)

References

(Blocks 1 open bug)

Details

(Whiteboard: [webauthn][webauthn-wd07])

Attachments

(1 file)

Bug 1382893 - Add a WebAuthn test to confirm RP ID is not port-sensitive 6 years ago J.C. Jones [:jcj] (he/him) 59 bytes, text/x-review-board-request		Details

J.C. Jones [:jcj] (he/him)

Assignee

Description

•

7 years ago

The WebAuthn Relying Party domain strings are defined as being restricted to https (enforced by [SecureContext]), meeting the "Is Registrable Domain Suffix Of Or Equal To" algorithm (already implemented), and being generic to all TCP ports on a host.

The last should be enforced by the nsIURI parsing code in use, but is not covered by tests. Add tests and make sure that's working properly.

[1] https://w3c.github.io/webauthn/#relying-party-identifier

J.C. Jones [:jcj] (he/him)

Assignee

Updated

•

7 years ago

Assignee: nobody → jjones

Status: NEW → ASSIGNED

Emma Humphries ☕️🎸🧞‍♀️✨ (she/they) [:emceeaich] (Pacific Time) use needinfo

Updated

•

7 years ago

Keywords: stale-bug

Andrew Overholt [:overholt]

Comment 1

•

7 years ago

Are we planning to do this in 57?

Flags: needinfo?(jjones)

J.C. Jones [:jcj] (he/him)

Assignee

Comment 2

•

7 years ago

No. Updating to 'Future' as it's still undetermined what the schedule will be.

Flags: needinfo?(jjones)

Target Milestone: mozilla57 → Future

Version: 55 Branch → Trunk

Andrew Overholt [:overholt]

Comment 3

•

7 years ago

Thanks. I've made a few other flag changes here to clarify the situation.

status-firefox57: --- → disabled

status-firefox58: --- → fix-optional

J.C. Jones [:jcj] (he/him)

Assignee

Comment 4

•

6 years ago

I've made a website to test this: 

https://webauthn.bin.coffee:8443/

And, as expected, manual tests pass.

I've also produced a patch that adds an automated test, but it doesn't work as our mochitest webserver needs to support ports other than 443 for HTTPS. 

I'll attach the patch for posterity, but I think we can leave this without an automated test. The code path for this functionality runs through nsURI, and that is unlikely to change substantially enough to cause a regression.

Keywords: stale-bug

Whiteboard: [webauthn] → [webauthn][webauthn-wd07]

Comment hidden (mozreview-request)

This patch adds a test to perform a Web Authentication operation from a server
on port 8443 using a port-less RP ID. The operation should succeed.

This patch doesn't currently work on OSX because no server spins up on 8443.

There is a manual test available at https://webauthn.bin.coffee:8443/

Review commit: https://reviewboard.mozilla.org/r/211134/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/211134/

J.C. Jones [:jcj] (he/him)

Assignee

Comment 6

•

6 years ago

Marking this wontfix for now, pending further discussions.

Status: ASSIGNED → RESOLVED

Closed: 6 years ago

Resolution: --- → WONTFIX

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

WebAuthn RP-IDs should enforce HTTPS and be permissive for alternative TCP ports

Categories

(Core :: DOM: Device Interfaces, defect, P1)

Tracking

()

People

(Reporter: jcj, Assigned: jcj)

References

(Blocks 1 open bug)

Details

(Whiteboard: [webauthn][webauthn-wd07])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Updated

Comment 1

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Attachment

General

Description

File Name

Content Type