Closed Bug 1385008 Opened 7 years ago Closed 7 years ago

WebAuthn: CollectedClientData.Origin must be the RP ID

Categories

(Core :: DOM: Device Interfaces, enhancement, P1)

55 Branch
enhancement

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox56 --- fixed

People

(Reporter: jcj, Assigned: jcj)

References

Details

(Whiteboard: [webauthn] [webauthn-interop])

Attachments

(1 file)

WD-05 specifies the CollectedClientData Origin field be set to the RP ID, rather than the document's origin. We need to match it, and revert back to using the calling page's origin in Bug 1384776.
Note there is some ambiguity in the specification, as [1] says CollectedClientData.Origin is the document's origin, while the algorithms [2] and [3] set it to RP ID.

I'm going to stick with the algorithm's definition and produce a patch; it's simple to revert when we move to WD-06. This also isn't a critical compatibility thing, as the data structure is transmitted on the wire, so it should be obvious during interop testing which way people chose.

[1] https://www.w3.org/TR/webauthn/#dom-collectedclientdata-origin
[2] https://www.w3.org/TR/webauthn/#createCredential
[3] https://www.w3.org/TR/webauthn/#getAssertion
Comment on attachment 8890974 [details]
Bug 1385008: WebAuthn CollectedClientData.Origin must be RP ID

https://reviewboard.mozilla.org/r/162150/#review167444

Ok - sounds good.

::: commit-message-388d8:6
(Diff revision 1)
> +Bug 1385008: WebAuthn CollectedClientData.Origin must be RP ID r?keeler
> +
> +The WebAuthn WD-05 version of the specification defines the Origin field [1]
> +of the CollectedClientData as being set to the RP ID [2][3].
> +
> +Note there is some ambiguity in the specification, as [1] says

I'm assuming the ambiguity is resolved and/or moot in WD-06?
Attachment #8890974 - Flags: review?(dkeeler) → review+
Comment on attachment 8890974 [details]
Bug 1385008: WebAuthn CollectedClientData.Origin must be RP ID

https://reviewboard.mozilla.org/r/162150/#review167444

Thanks a bunch!

> I'm assuming the ambiguity is resolved and/or moot in WD-06?

Yep, it's the state of the tree today, so we'll just revert this patch.
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/8791f4a87a60
WebAuthn CollectedClientData.Origin must be RP ID r=keeler
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/8791f4a87a60
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.