Comments (10)
@MasterKale
At least, it's meaningful to add some references to indicate the way of origin comparison.
from webauthn.
RFC3986 normalization methods such as Section 6.2.2 Syntax-Based Normalization (specifically point 1 as I don't believe the other points apply to the origin portion of a URI), Section 6.2.3 Scheme-Based Normalization, and Section 6.2.4 Protocol-Based Normalization are probably the most appropriate normalization types to use (in order of importance).
Theoretically a simple string comparison with case normalization is probably the most appropriate minimum requirement.
from webauthn.
Some of implementations in OSS just maintain list of acceptable origins and simply compares the given origin with the list by simply text equality.
Is the issue that strings may not be normalized by the client? I guess I'm not understanding how this process needs to be defined more robustly.
from webauthn.
I think there is also some level of user interaction with the consistency of the strings on RP side. For example the administrator may not provide a string consistent with the value the client does. The developer implementing the RP would realistically be expected to account for this in some way.
from webauthn.
Should't origin
be compared the same way RP ID is compared?
from webauthn.
I agree with @Kieun, the spec is too vague about origin matching. It references web origin RFC6454, but it doesn't mandate the origin to be a web origin. This allows, for example, Android native API to send android:...
origin instead.
The spec should say that both client and RP origins must be web origins, if that's the case, and the origin matching should be done the same way RP ID matching is done. If it is not the case, and the origin can be just a string, then explicitly specify matching rules for such strings, i.e. string equality, binary equality, etc. If there are some constraints for the origin values, specify them as well.
Back to my example. Is android:...
a valid value for the origin? If so, how do I match it? What if I get xyz:...
origin from the client, how should I match that?
If the phishing-resistance promise of WebAuthn is based on the origin (and RP ID), we should be very specific about origin matching.
from webauthn.
Back to my example. Is
android:...
a valid value for the origin? If so, how do I match it? What if I getxyz:...
origin from the client, how should I match that?
Yes, this is a valid origin for an app on Android.
If the phishing-resistance promise of WebAuthn is based on the origin (and RP ID), we should be very specific about origin matching.
RP's need to ensure that the origin included in clientData is an expected origin during verification.
from webauthn.
RP's need to ensure that the origin included in clientData is an expected origin during verification.
Does it mean the rule should say "RP origin list must contain the clientData origin; values are compared using string equality."? And case-sensitivity would be different for web vs other types of origins, I presume.
from webauthn.
The term matching
is vague and if there is anything to check against to the expected origin, it's better to describe the way of comparison by adding some texts or references.
from webauthn.
يحتاج RP إلى التأكد من أن الأصل المتضمن في clientData هو أصل متوقع أثناء التحقق.
هل يعني ذلك أن القاعدة يجب أن تقول "يجب أن تحتوي قائمة أصل RP على أصل clientData ؛ تتم مقارنة القيم باستخدام مساواة السلسلة."؟ وستكون حساسية حالة الأحرف مختلفة للويب مقارنة بأنواع الأصول الأخرى ، كما أفترض.
from webauthn.
Related Issues (20)
- Code Injection vulnerability from client side HOT 18
- [Superset] Updating credential metadata and requesting deletion of stale credentials HOT 19
- Extensions should specify partial dictionaries that modify AuthenticationExtensionsClient{Inputs, Outputs}JSON
- The bike shed build is broken with the newest version
- Provide a way for Web Extensions to hook into browser's Passkey autofill UI HOT 4
- Remove the [SameObject] attribute from PublicKeyCredential::authenticatorAttachment HOT 1
- Are notes in webauthn normative or informative? HOT 1
- Ambiguous instructions in the Android Key Attestation Statement Format verification procedure HOT 6
- Spec is not specific enough about order of conditional UI autofill tokens HOT 1
- create() and get() return an algorithm, not a credential HOT 1
- Virtual Authenticator API does not expose a way to set backup-eligible or backup-status flags HOT 9
- Deprecation warning for fido-u2f, apple, and android-safetynet? HOT 6
- > HOT 1
- Inconsistent Passkey Authentication in Google Chrome HOT 5
- rp.name, user.name and user.displayName length limit does not state binary encoding HOT 2
- How is an RP to know if a packed attestation root certificate is used for multiple authenticator models? HOT 2
- Wrong type of encrypted content specified for credentialId under "Credential Storage Modality" section HOT 1
- Cambios por abuso HOT 2
- Consider replacing "Github" with "GitHub" HOT 2
- Conditional UI support by WebAuthn WebDriver Extension HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.