Closed Bug 1616675 Opened 2 years ago Closed 2 years ago

Web Authentication - Prohibit use for IP Addresses

Categories

(Core :: DOM: Web Authentication, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla75
Tracking Status
firefox75 --- fixed

People

(Reporter: jcj, Assigned: jcj)

References

()

Details

Attachments

(3 files)

WebAuthn is only permitted for host types, not IP addresses, so we need to enforce that and add a Web Platform Test.

WebAuthn needs to write a test to confirm it's prohibited when accessed via
an IP address. This adds the capability to get a SecureContext for an IP host.
It uses 127.0.0.2 so as to bypass restrictions on 127.0.0.1, and the use of .1
as a special-market in ssltunnel.

Assignee: nobody → jjones
Status: NEW → ASSIGNED

Boris, I'm looking for advice:

WebAuthn needs to check that the origin has a domain [-1], or maybe more explicitly, that the host is a domain and not an IP4/6 address.

  • nsIPrincipal doesn't have a method or attribute for it (though BasePrincipal has mHasExplicitDomain but it's unavailable and I'm not clear on its semantics).
  • nsContentUtils has some formatting methods for IPv6 strings [0] but nothing to tell whether it is an IP address
  • One can cheat like nsNavHistory does using nsIEffectiveTLDService's getBaseDomain [1] and looking for NS_ERROR_HOST_IS_IP_ADDRESS
  • Or one can go full NSPR and call PR_StringToNetAddr()

As far as I can tell, other than going via nsIEffectiveTLDService, my real path here is to implement another method in BasePrincipal, and have that either call PR_StringToNetAddr or do regexes.

  1. Would adding to BasePrincipal match up with your preferences -- or do you think this is a matter for nsContentUtils?
  2. Would you prefer the NSPR route, processing from nsIEffectiveTLDService::getBaseDomain, or regexes?

[-1] https://github.com/w3c/webauthn/issues/1358#issuecomment-588453058
[0] https://searchfox.org/mozilla-central/rev/5a10be606f2d76ef22f1f44565749490de991d35/dom/base/nsContentUtils.cpp#7171
[1] https://searchfox.org/mozilla-central/rev/5a10be606f2d76ef22f1f44565749490de991d35/toolkit/components/places/nsNavHistory.cpp#828

Flags: needinfo?(bzbarsky)

mHasExplicitDomain is not what you want here. That's "document.domain was set" stuff.

In general, people are trying to remove the ability to get a URI from a principal; see bug 1577165 and its dependencies. So the right thing is probably to have an API on nsIPrincipal or BasePrincipal to ask the question you want to ask, and then implement either via PR_StringToNetAddr or using the nsIEffectiveTLDService. Please do not manually do string matching to make this determination!

As far as TLD service via direct NSPR, the former has a bit more overhead, possibly, but also caches the result. Then again, for the common, non-IP, case, it does all sorts of work you don't care about... So my temptation would be to just PR_StringToNetAddr.

Flags: needinfo?(bzbarsky)

Adds an infallable boolean attribute to nsIPrincipal that indicates whether
the principal's host is an IP address.

Adds a gtest to exercise that part of the nsIPrincipal.

/**

  • Returns if the principal is an IP address.
    */
    [infallible] readonly attribute boolean isIpAddress;

Depends on D63570

Attachment #9127987 - Attachment description: Bug 1616675 - Prohibit IP addresses for WebAuthn operations → Bug 1616675 - Prohibit IP addresses for WebAuthn operations r?keeler
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f8632635a60c
Add an IPv4 secure service to mochitests' ssltunnel r=keeler
https://hg.mozilla.org/integration/autoland/rev/d7a04fa898d2
Add isIpAddress to nsIPrincipal r=ckerschb
https://hg.mozilla.org/integration/autoland/rev/006a9bbd98d7
Prohibit IP addresses for WebAuthn operations r=keeler
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
You need to log in before you can comment on or make changes to this bug.