crossOrigin field in clientDataJSON not validated

[ScottHelme]

Problem

The library does not check the crossOrigin field in clientDataJSON during either processCreate() or processGet().

Per the proposed W3C WebAuthn Level 3 spec (§7.1 Step 10 for registration, §7.2 Step 13 for authentication), if clientDataJSON.crossOrigin is true, the ceremony should be rejected unless the Relying Party has explicitly opted into cross-origin behaviour.

Attack scenario

An attacker hosts evil-example.com which embeds the legitimate site's WebAuthn ceremony in a cross-origin iframe. The browser sets crossOrigin: true in clientDataJSON to signal this, but because the library doesn't check it, the ceremony succeeds. This could allow an attacker to trick a user into registering or authenticating a passkey from a context they didn't intend.

Suggested fix

Add a check in both processCreate() and processGet(), after the existing origin validation, that rejects requests where crossOrigin is explicitly true:

if (\property_exists($clientData, 'crossOrigin') && $clientData->crossOrigin === true) {
    throw new WebAuthnException('cross-origin request not allowed', WebAuthnException::INVALID_ORIGIN);
}

This is backwards-compatible — crossOrigin is optional in the spec, so existing clients that don't send it are unaffected. Only explicitly cross-origin requests are rejected.