Closed Bug 1421723 Opened 7 years ago Closed 7 years ago

U2F BAD_REQUEST with localhost domain in appId

Categories

(Core :: DOM: Device Interfaces, defect, P2)

Product:
Core
Component:
DOM: Device Interfaces
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla59
Tracking Flags:
Tracking Status
firefox57 --- disabled
firefox58 --- disabled
firefox59 --- disabled

People

(Reporter: matt.beale, Assigned: ttaubert)

Details

(Whiteboard: [u2f])

Attachments

(1 file)

Bug 1421723 - Allow localhost as appId for U2F r?jcj
45 bytes, text/x-phabricator-request
jcj
: review+
Details | Review 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.59 Safari/537.36

Steps to reproduce:

Attempt to run U2F's `register` or `sign` methods with an appId containing `localhost`. For example:

```
window.u2f.register('https://localhost:3000', registrationRequests, [], callback);
window.u2f.sign('https://localhost:3000', challenge, signRequests, callback);
```


Actual results:

Instead of permitting the appId, an error `2` is thrown which maps to `BAD_REQUEST` in the spec'd error codes: https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#error-codes




Expected results:

Registration and signing should be permitted.

* Chrome permits use of an appId with the host of `localhost`.
* A non-expert read of the spec doesn't show any specific guidance on `localhost`, but doesn't seem to suggest it should not work.
  * appId specs https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-appid-and-facets.html
  * U2F JS API specs https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html

Registration and signing with a fake TLD worked as expected, for example:

```
window.u2f.register('https://localhost.ssl:3000', registrationRequests, [], callback);
window.u2f.sign('https://localhost.ssl:3000', challenge, signRequests, callback);
```
I believe the meta issue https://bugzilla.mozilla.org/show_bug.cgi?id=1065729 should depend on this.
Component: Untriaged → DOM: Device Interfaces
Product: Firefox → Core
Whiteboard: [u2f]
Our U2F JS implementation now follows Web Authentication's method of relaxing the same origin policy (see Bug 1244959 comment #8), which is what indirectly causes localhost to be forbidden. Basically, we'll fail resolving the Public Suffix List for "localhost" (https://searchfox.org/mozilla-central/rev/477ac066b565ae0eb3519875581a62dfb1430e98/dom/u2f/U2F.cpp#184)

To fix this, we'll need to special case localhost and abort before calling IsRegistrableDomainSuffixOfOrEqualTo in U2F.cpp's EvaluateAppID method.

Basically, after checking if the appId URL is https, we'd have to check if the appId URL's host equals the literal 'localhost', and also equals the origin/facet URL.

U2F is disabled currently, and this is a low-impact bug, so going to mark this P2.
Severity: normal → minor
Status: UNCONFIRMED → NEW
status-firefox57: --- → disabled
status-firefox58: --- → disabled
status-firefox59: --- → disabled
Ever confirmed: true
Priority: -- → P2
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
Comment on attachment 8934928 [details]
Bug 1421723 - Allow localhost as appId for U2F r?jcj

J.C. Jones [:jcj] has approved the revision.

https://phabricator.services.mozilla.com/D321#7943
Attachment #8934928 - Flags: review+
And again... on top of a hopefully not-so-broken inbound revision.

https://treeherder.mozilla.org/#/jobs?repo=try&revision=ffcff3911e966f9eec20f6228a4fa4ec71d4445a
https://hg.mozilla.org/mozilla-central/rev/7d1f9d97377c
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: