1887577 - credential.create rejecting rpId when the document is XML encoded

Status: ASSIGNED

(Core :: DOM: Web Authentication, defect, P3)

Description

[Hubert Tonneau]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Steps to reproduce:

When calling credential.create() or credential.get(), if the web page is XML encoded as opposed to HTML, then using rp.Id (in create) or rpId (in get) will be rejected, probably because in 'RelaxSameOrigin' function, you have :
if (!document || !document->IsHTMLDocument()) {
return NS_ERROR_FAILURE;
}

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Core & HTML' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Comment 2

[Hubert Tonneau]

Demo available at :
https://copliant.storga.com/public/u2f_test.html
https://copliant.storga.com/public/u2f_test.xml
They are the same content, only the <!DOCTYPE> and <html> tags are different.
The demo is using a single tiny u2f_javascript.js script.

The HTML version will accept to register the Yubikey,
the XML version will raise Javascript exception 'DOMException: The operation is insecure.'

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:bvandersloot, could you have a look please?

For more information, please visit BugBot documentation.

Comment 4

[Benjamin VanderSloot [:bvandersloot]]

:jschanck : do you want to triage this?

Comment 5

[John Schanck [:jschanck]]

Sure, looks like we could replace that IsHTMLDocument() with IsHTMLOrXHTML().

Comment 6

[Hubert Tonneau]

What on hell are you waiting for the correct and close this bug ?
I provided you bug reproduction links.
I tracked the bug to the single faulty line in the code.
John Schanck provided the fix.
Then nothing appened for a month now.

Comment 7

[John Schanck [:jschanck]]

Attachment: Bug 1887577 - allow webauthn in xhtml documents. r=dveditz