Web Authentication: getting a "none" attestation format even when requesting "indirect" or "direct" in Firefox 85.0.2
Categories
(Core :: DOM: Web Authentication, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox98 | --- | fixed |
People
(Reporter: kubek2k, Assigned: dveditz)
References
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Steps to reproduce:
Go to https://psteniusubi.github.io/webauthn-tester/credential-create.html and require attestation "indirect" or "direct"
Actual results:
The attestationObject has attestation in format "none"
Expected results:
as per https://www.w3.org/TR/webauthn-2/#sctn-none-attestation and https://www.w3.org/TR/webauthn-2/#enum-attestation-convey the attestation in any other than "none" format should be returned (in my case "packed" for yubikey)
Comment hidden (duplicate) |
Comment 2•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox Build System::Lint and Formatting' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Updated•3 years ago
|
Comment 3•3 years ago
|
||
Hi kubek2k,
Am I missing any step?
I accessed your shared link https://psteniusubi.github.io/webauthn-tester/credential-create.html
Then chose indirect/direct (tried both) for publicKey.attestation field
Should I fill any other field before hitting credentials.crate() ?
I'm asked to enter security password to USB port.
Best,
Clara
Comment 4•3 years ago
|
||
Hello Clara - the point is that after you give the password the attestation format is "none" instead of any other format and this is against the spec.
Assignee | ||
Comment 6•3 years ago
|
||
With attestation "direct" I get a format "fido-u2f", but with "indirect" I do get a format of "none" (on MacOS).
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Updated•2 years ago
|
Comment 7•2 years ago
|
||
The old behavior (only send attestation, if attestation-type was "direct" and "none" otherwise) broke the spec.
Only send "none", if directly requested by RP or the user.
Comment 8•2 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:dveditz, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•2 years ago
|
Pushed by dveditz@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2d160fe7a7ce Web Authentication: Only send "none" attestation if it was requested (by server or user) r=dveditz
Comment 10•2 years ago
|
||
bugherder |
Assignee | ||
Updated•2 years ago
|
Description
•