credential.create rejecting rpId when the document is XML encoded
Categories
(Core :: DOM: Web Authentication, defect, P3)
Tracking
()
People
(Reporter: hubert.tonneau, Assigned: jschanck)
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Steps to reproduce:
When calling credential.create() or credential.get(), if the web page is XML encoded as opposed to HTML, then using rp.Id (in create) or rpId (in get) will be rejected, probably because in 'RelaxSameOrigin' function, you have :
if (!document || !document->IsHTMLDocument()) {
return NS_ERROR_FAILURE;
}
Comment 1•2 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Core & HTML' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Reporter | ||
Comment 2•2 months ago
|
||
Demo available at :
https://copliant.storga.com/public/u2f_test.html
https://copliant.storga.com/public/u2f_test.xml
They are the same content, only the <!DOCTYPE> and <html> tags are different.
The demo is using a single tiny u2f_javascript.js script.
The HTML version will accept to register the Yubikey,
the XML version will raise Javascript exception 'DOMException: The operation is insecure.'
Updated•2 months ago
|
Comment 3•1 month ago
|
||
The severity field is not set for this bug.
:bvandersloot, could you have a look please?
For more information, please visit BugBot documentation.
Comment 4•1 month ago
|
||
:jschanck : do you want to triage this?
Assignee | ||
Comment 5•1 month ago
|
||
Sure, looks like we could replace that IsHTMLDocument()
with IsHTMLOrXHTML()
.
Comment hidden (advocacy) |
Assignee | ||
Comment 7•3 days ago
|
||
Updated•3 days ago
|
Description
•