Closed Bug 1888851 Opened 2 years ago Closed 1 year ago

Incorrect clientDataJSON order to support limited verification order

Categories

(Core :: DOM: Web Authentication, defect, P3)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 124
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox128 --- fixed
firefox129 --- fixed

People

(Reporter: thefissinator, Assigned: jschanck)

References

Details

Attachments

(2 files)

Bug 1888851 - reorder clientDataJSON properties to support limited verifiers. r=keeler
48 bytes, text/x-phabricator-request
Details | Review
Bug 1888851 - reorder clientDataJSON properties to support limited verifiers. r=keeler
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review

Steps to reproduce:

When generating a clientDataJSON after calling navigator.credentials.get() using WebAuthn, the order of the clientDataJSON produced is challenge, origin, type

Expected results:

While not required by the specification, having it be in the mentioned order-type, challenge, origin-would allow compatibility with verifiers which use the Limited Verification Algorithm defined in 5.8.1.2 https://www.w3.org/TR/webauthn-3/#clientdatajson-verification. It would also align with other browsers that produce clientDataJSON objects in this format

Assignee: nobody → jschanck
Severity: -- → S3
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P3
Duplicate of this bug: 1901727
Attachment #9396342 - Attachment description: Bug 1888851 - reorder clientDataJSON properties to support limited verifiers. r=dveditz → Bug 1888851 - reorder clientDataJSON properties to support limited verifiers. r=keeler
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8bc3e2fd3625 reorder clientDataJSON properties to support limited verifiers. r=webidl,smaug,keeler

Hi, I don't see anywhere in the spec that the serialization algorithm is optional, it looks like it's mandatory to me https://www.w3.org/TR/webauthn-3/#clientdatajson-serialization

Also, I want to clarify that this is not just about reordering the fields, for instance the 'crossOrigin' attribute is mandatory and not always present today. Best to follow the steps laid out int the spec to guarantee compatibility

https://hg.mozilla.org/mozilla-central/rev/8bc3e2fd3625

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox129: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch
Attachment #9407312 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: WebAuthn operations may fail on some sites.
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: n/a
  • Risk associated with taking this patch: low
  • Explanation of risk level: The patch just changes the order of properties in a JSON object.
  • String changes made/needed: none
  • Is Android affected?: yes
Attachment #9407312 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9407312 - Flags: approval-mozilla-beta+ → approval-mozilla-beta?
Attachment #9407312 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: