Closed Bug 1877332 Opened 2 years ago Closed 2 years ago

WebAuthn create requests in a cross-origin iframe must consume user activation

Categories

(Core :: DOM: Web Authentication, defect, P3)

Product:
Core
Component:
DOM: Web Authentication
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox123 --- fixed
firefox124 --- fixed

People

(Reporter: jschanck, Assigned: jschanck)

Details

Attachments

(1 file)

Bug 1877332 - consume user activation in webauthn cross-origin iframe create request. r=keeler
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review

See Step 2.2 of https://w3c.github.io/webauthn/#sctn-createCredential. Curiously there is no requirement to consume user activation for cross-origin get requests.

Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/63688f915f53 consume user activation in webauthn cross-origin iframe create request. r=keeler

https://hg.mozilla.org/mozilla-central/rev/63688f915f53

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox124: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch

The patch landed in nightly and beta is affected.
:jschanck, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox123 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jschanck)

Comment on attachment 9377071 [details]
Bug 1877332 - consume user activation in webauthn cross-origin iframe create request. r=keeler

Beta/Release Uplift Approval Request

  • User impact if declined: WebAuthn credential creation requests in (appropriately permissioned) cross-origin iframes are allowed when the main frame is active. The request should require user activation in the iframe.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Low risk as the change is well covered by tests.
  • String changes made/needed:
  • Is Android affected?: Yes
Flags: needinfo?(jschanck)
Attachment #9377071 - Flags: approval-mozilla-beta?

Comment on attachment 9377071 [details]
Bug 1877332 - consume user activation in webauthn cross-origin iframe create request. r=keeler

Approved for 123 beta 6, thanks.

Attachment #9377071 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: