Closed
Bug 1421723
Opened 7 years ago
Closed 7 years ago
U2F BAD_REQUEST with localhost domain in appId
Categories
(Core :: DOM: Device Interfaces, defect, P2)
Core
DOM: Device Interfaces
Tracking
()
RESOLVED
FIXED
mozilla59
People
(Reporter: matt.beale, Assigned: ttaubert)
Details
(Whiteboard: [u2f])
Attachments
(1 file)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.59 Safari/537.36 Steps to reproduce: Attempt to run U2F's `register` or `sign` methods with an appId containing `localhost`. For example: ``` window.u2f.register('https://localhost:3000', registrationRequests, [], callback); window.u2f.sign('https://localhost:3000', challenge, signRequests, callback); ``` Actual results: Instead of permitting the appId, an error `2` is thrown which maps to `BAD_REQUEST` in the spec'd error codes: https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#error-codes Expected results: Registration and signing should be permitted. * Chrome permits use of an appId with the host of `localhost`. * A non-expert read of the spec doesn't show any specific guidance on `localhost`, but doesn't seem to suggest it should not work. * appId specs https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-appid-and-facets.html * U2F JS API specs https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html Registration and signing with a fake TLD worked as expected, for example: ``` window.u2f.register('https://localhost.ssl:3000', registrationRequests, [], callback); window.u2f.sign('https://localhost.ssl:3000', challenge, signRequests, callback); ```
Reporter | ||
Comment 1•7 years ago
|
||
I believe the meta issue https://bugzilla.mozilla.org/show_bug.cgi?id=1065729 should depend on this.
Updated•7 years ago
|
Component: Untriaged → DOM: Device Interfaces
Product: Firefox → Core
Updated•7 years ago
|
Whiteboard: [u2f]
Comment 2•7 years ago
|
||
Our U2F JS implementation now follows Web Authentication's method of relaxing the same origin policy (see Bug 1244959 comment #8), which is what indirectly causes localhost to be forbidden. Basically, we'll fail resolving the Public Suffix List for "localhost" (https://searchfox.org/mozilla-central/rev/477ac066b565ae0eb3519875581a62dfb1430e98/dom/u2f/U2F.cpp#184) To fix this, we'll need to special case localhost and abort before calling IsRegistrableDomainSuffixOfOrEqualTo in U2F.cpp's EvaluateAppID method. Basically, after checking if the appId URL is https, we'd have to check if the appId URL's host equals the literal 'localhost', and also equals the origin/facet URL. U2F is disabled currently, and this is a low-impact bug, so going to mark this P2.
Severity: normal → minor
Status: UNCONFIRMED → NEW
status-firefox57:
--- → disabled
status-firefox58:
--- → disabled
status-firefox59:
--- → disabled
Ever confirmed: true
Priority: -- → P2
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
Comment 3•7 years ago
|
||
Comment on attachment 8934928 [details] Bug 1421723 - Allow localhost as appId for U2F r?jcj J.C. Jones [:jcj] has approved the revision. https://phabricator.services.mozilla.com/D321#7943
Attachment #8934928 -
Flags: review+
Assignee | ||
Comment 4•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=fbed82da942baa71335eb39dbd6276b1df70a9f4
Assignee | ||
Comment 5•7 years ago
|
||
And again... on top of a hopefully not-so-broken inbound revision. https://treeherder.mozilla.org/#/jobs?repo=try&revision=ffcff3911e966f9eec20f6228a4fa4ec71d4445a
Pushed by ttaubert@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/7d1f9d97377c Allow localhost as appId for U2F r=jcj
Comment 7•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/7d1f9d97377c
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in
before you can comment on or make changes to this bug.
Description
•