Bug 1540309 - Track browsing context for the WebAuthn UX prompts r=nhnt11

jcjones · jcjones · commit 1bd162dde35e · 2020-10-05T22:20:41.000Z
The WebAuthn popup just used the current selected browser for its context, while we actually want to stick with the window that brought us to the party. This adds tests to ensure that the doorhanger stays on the tab it was originally attached to, avoiding the 'wandering doorhanger' problem from the bug. Differential Revision: https://phabricator.services.mozilla.com/D72255
diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js
@@ -7744,14 +7744,26 @@ var WebAuthnPromptHelper = {
     let mgr = aSubject.QueryInterface(Ci.nsIU2FTokenManager);
     let data = JSON.parse(aData);
 
+    // If we receive a cancel, it might be a WebAuthn prompt starting in another
+    // window, and the other window's browsing context will send out the
+    // cancellations, so any cancel action we get should prompt us to cancel.
+    if (data.action == "cancel") {
+      this.cancel(data);
+    }
+
+    if (
+      data.browsingContextId !== gBrowser.selectedBrowser.browsingContext.id
+    ) {
+      // Must belong to some other window.
+      return;
+    }
+
     if (data.action == "register") {
       this.register(mgr, data);
     } else if (data.action == "register-direct") {
       this.registerDirect(mgr, data);
     } else if (data.action == "sign") {
       this.sign(mgr, data);
-    } else if (data.action == "cancel") {
-      this.cancel(data);
     }
   },
 
@@ -7819,6 +7831,7 @@ var WebAuthnPromptHelper = {
 
     options.name = origin;
     options.hideClose = true;
+    options.persistent = true;
     options.eventCallback = event => {
       if (event == "removed") {
         this._current = null;
diff --git a/dom/webauthn/U2FTokenManager.cpp b/dom/webauthn/U2FTokenManager.cpp
@@ -50,11 +50,15 @@ static nsIThread* gBackgroundThread;
 
 // Data for WebAuthn UI prompt notifications.
 static const char16_t kRegisterPromptNotifcation[] =
-    u"{\"action\":\"register\",\"tid\":%llu,\"origin\":\"%s\"}";
+    u"{\"action\":\"register\",\"tid\":%llu,\"origin\":\"%s\","
+    u"\"browsingContextId\":%llu}";
 static const char16_t kRegisterDirectPromptNotifcation[] =
-    u"{\"action\":\"register-direct\",\"tid\":%llu,\"origin\":\"%s\"}";
+    u"{\"action\":\"register-direct\",\"tid\":%llu,\"origin\":\"%s\","
+    u"\"browsingContextId\":%llu}";
 static const char16_t kSignPromptNotifcation[] =
-    u"{\"action\":\"sign\",\"tid\":%llu,\"origin\":\"%s\"}";
+    u"{\"action\":\"sign\",\"tid\":%llu,\"origin\":\"%s\","
+    u"\"browsingContextId\":%"
+    u"llu}";
 static const char16_t kCancelPromptNotifcation[] =
     u"{\"action\":\"cancel\",\"tid\":%llu}";
 
@@ -340,7 +344,7 @@ void U2FTokenManager::Register(
   // store the transaction info until the user proceeds or cancels.
   NS_ConvertUTF16toUTF8 origin(aTransactionInfo.Origin());
   SendPromptNotification(kRegisterDirectPromptNotifcation, aTransactionId,
-                         origin.get());
+                         origin.get(), aTransactionInfo.BrowsingContextId());
 
   MOZ_ASSERT(mPendingRegisterInfo.isNothing());
   mPendingRegisterInfo = Some(aTransactionInfo);
@@ -354,7 +358,7 @@ void U2FTokenManager::DoRegister(const WebAuthnMakeCredentialInfo& aInfo,
   // Show a prompt that lets the user cancel the ongoing transaction.
   NS_ConvertUTF16toUTF8 origin(aInfo.Origin());
   SendPromptNotification(kRegisterPromptNotifcation, mLastTransactionId,
-                         origin.get());
+                         origin.get(), aInfo.BrowsingContextId());
 
   uint64_t tid = mLastTransactionId;
   mozilla::TimeStamp startTime = mozilla::TimeStamp::Now();
@@ -413,7 +417,8 @@ void U2FTokenManager::Sign(PWebAuthnTransactionParent* aTransactionParent,
 
   // Show a prompt that lets the user cancel the ongoing transaction.
   NS_ConvertUTF16toUTF8 origin(aTransactionInfo.Origin());
-  SendPromptNotification(kSignPromptNotifcation, aTransactionId, origin.get());
+  SendPromptNotification(kSignPromptNotifcation, aTransactionId, origin.get(),
+                         aTransactionInfo.BrowsingContextId());
 
   uint64_t tid = mLastTransactionId = aTransactionId;
   mozilla::TimeStamp startTime = mozilla::TimeStamp::Now();
diff --git a/dom/webauthn/WebAuthnManager.cpp b/dom/webauthn/WebAuthnManager.cpp
@@ -416,9 +416,9 @@ already_AddRefed<Promise> WebAuthnManager::MakeCredential(
     return promise.forget();
   }
 
-  WebAuthnMakeCredentialInfo info(origin, NS_ConvertUTF8toUTF16(rpId),
-                                  challenge, clientDataJSON, adjustedTimeout,
-                                  excludeList, Some(extra), context->Id());
+  WebAuthnMakeCredentialInfo info(
+      origin, NS_ConvertUTF8toUTF16(rpId), challenge, clientDataJSON,
+      adjustedTimeout, excludeList, Some(extra), context->Top()->Id());
 
 #ifdef OS_WIN
   if (!WinWebAuthnManager::AreWebAuthNApisAvailable()) {
@@ -624,7 +624,7 @@ already_AddRefed<Promise> WebAuthnManager::GetAssertion(
 
   WebAuthnGetAssertionInfo info(origin, NS_ConvertUTF8toUTF16(rpId), challenge,
                                 clientDataJSON, adjustedTimeout, allowList,
-                                Some(extra), context->Id());
+                                Some(extra), context->Top()->Id());
 
 #ifdef OS_WIN
   if (!WinWebAuthnManager::AreWebAuthNApisAvailable()) {
diff --git a/dom/webauthn/tests/browser/browser_webauthn_prompts.js b/dom/webauthn/tests/browser/browser_webauthn_prompts.js
@@ -19,6 +19,16 @@ function promiseNotification(id) {
   });
 }
 
+function triggerMainPopupCommand(popup) {
+  info("triggering main command");
+  let notifications = popup.childNodes;
+  ok(notifications.length > 0, "at least one notification displayed");
+  let notification = notifications[0];
+  info("triggering command: " + notification.getAttribute("buttonlabel"));
+
+  return EventUtils.synthesizeMouseAtCenter(notification.button, {});
+}
+
 let expectAbortError = expectError("Abort");
 
 function verifyAnonymizedCertificate(result) {
@@ -115,6 +125,103 @@ add_task(async function test_register_direct_cancel() {
   await BrowserTestUtils.removeTab(tab);
 });
 
+// Add two tabs, open WebAuthn in the first, switch, assert the prompt is
+// not visible, switch back, assert the prompt is there and cancel it.
+add_task(async function test_tab_switching() {
+  // Open a new tab.
+  let tab_one = await BrowserTestUtils.openNewForegroundTab(gBrowser, TEST_URL);
+
+  // Request a new credential and wait for the prompt.
+  let active = true;
+  let request = promiseWebAuthnMakeCredential(tab_one, "indirect", {})
+    .then(arrivingHereIsBad)
+    .catch(expectAbortError)
+    .then(() => (active = false));
+  await promiseNotification("webauthn-prompt-register");
+  is(PopupNotifications.panel.state, "open", "Doorhanger is visible");
+
+  // Open and switch to a second tab.
+  let tab_two = await BrowserTestUtils.openNewForegroundTab(
+    gBrowser,
+    "https://example.org/"
+  );
+
+  await TestUtils.waitForCondition(
+    () => PopupNotifications.panel.state == "closed"
+  );
+  is(PopupNotifications.panel.state, "closed", "Doorhanger is hidden");
+
+  // Go back to the first tab
+  await BrowserTestUtils.removeTab(tab_two);
+
+  await promiseNotification("webauthn-prompt-register");
+
+  await TestUtils.waitForCondition(
+    () => PopupNotifications.panel.state == "open"
+  );
+  is(PopupNotifications.panel.state, "open", "Doorhanger is visible");
+
+  // Cancel the request.
+  ok(active, "request should still be active");
+  await triggerMainPopupCommand(PopupNotifications.panel);
+  await request;
+  ok(!active, "request should be stopped");
+
+  // Close tab.
+  await BrowserTestUtils.removeTab(tab_one);
+});
+
+// Add two tabs, open WebAuthn in the first, switch, assert the prompt is
+// not visible, switch back, assert the prompt is there and cancel it.
+add_task(async function test_window_switching() {
+  // Open a new tab.
+  let tab = await BrowserTestUtils.openNewForegroundTab(gBrowser, TEST_URL);
+
+  // Request a new credential and wait for the prompt.
+  let active = true;
+  let request = promiseWebAuthnMakeCredential(tab, "indirect", {})
+    .then(arrivingHereIsBad)
+    .catch(expectAbortError)
+    .then(() => (active = false));
+  await promiseNotification("webauthn-prompt-register");
+
+  await TestUtils.waitForCondition(
+    () => PopupNotifications.panel.state == "open"
+  );
+  is(PopupNotifications.panel.state, "open", "Doorhanger is visible");
+
+  // Open and switch to a second window
+  let new_window = await BrowserTestUtils.openNewBrowserWindow();
+  await SimpleTest.promiseFocus(new_window);
+
+  await TestUtils.waitForCondition(
+    () => new_window.PopupNotifications.panel.state == "closed"
+  );
+  is(
+    new_window.PopupNotifications.panel.state,
+    "closed",
+    "Doorhanger is hidden"
+  );
+
+  // Go back to the first tab
+  await BrowserTestUtils.closeWindow(new_window);
+  await SimpleTest.promiseFocus(window);
+
+  await TestUtils.waitForCondition(
+    () => PopupNotifications.panel.state == "open"
+  );
+  is(PopupNotifications.panel.state, "open", "Doorhanger is still visible");
+
+  // Cancel the request.
+  ok(active, "request should still be active");
+  await triggerMainPopupCommand(PopupNotifications.panel);
+  await request;
+  ok(!active, "request should be stopped");
+
+  // Close tab.
+  await BrowserTestUtils.removeTab(tab);
+});
+
 add_task(async function test_setup_softtoken() {
   await SpecialPowers.pushPrefEnv({
     set: [
