From 3507992a79f2b0a904b25705890b33bf80ddfbd6 Mon Sep 17 00:00:00 2001 From: JeffH Date: Wed, 30 Nov 2016 15:53:41 -0800 Subject: [PATCH] complete fixing #251 (in getAssertion()) --- index.bs | 44 +++++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/index.bs b/index.bs index e1fef68fd..b46f09e6b 100644 --- a/index.bs +++ b/index.bs @@ -479,9 +479,10 @@ This method takes the following parameters: When this method is invoked, the user agent MUST execute the following algorithm: -1. If {{AssertionOptions/timeoutSeconds}} was specified, check if its value lies within a reasonable range as defined by the - platform and if not, correct it to the closest value lying within that range. Set |adjustedTimeout| to this adjusted value. - If {{AssertionOptions/timeoutSeconds}} was not specified, then set |adjustedTimeout| to a platform-specific default. +1. If the {{AssertionOptions/timeoutSeconds}} member of {{options}} is present, check if its value lies within a + reasonable range as defined by the platform and if not, correct it to the closest value lying within that range. Set + |adjustedTimeout| to this adjusted value. If {{AssertionOptions/timeoutSeconds}} is not present, then set + |adjustedTimeout| to a platform-specific default. 2. Let |promise| be a new Promise. Return |promise| and start a timer for |adjustedTimeout| seconds. Then asynchronously continue executing the following steps. If any fatal error is encountered in this process other than the @@ -491,17 +492,18 @@ When this method is invoked, the user agent MUST execute the following algorithm 3. Set |callerOrigin| to the current settings object's origin. If |callerOrigin| is an opaque origin, reject |promise| with a DOMException whose name is "NotAllowedError", and terminate this algorithm. Otherwise, - - If {{AssertionOptions/rpId}} is not specified, then set |rpId| to |callerOrigin|, and |rpIdHash| to the SHA-256 - hash of |rpId|. - - If {{AssertionOptions/rpId}} is specified, then invoke the procedure used for relaxing the same-origin restriction - by setting the `document.domain` attribute, using {{AssertionOptions/rpId}} as the given value but without changing the - current document's `domain`. If no errors are thrown, set |rpId| to the value of `host` as computed by this procedure, - and |rpIdHash| to the SHA-256 hash of |rpId|. Otherwise, reject |promise| with a DOMException whose name is - "SecurityError", and terminate this algorithm. - -4. If {{AssertionOptions/extensions}} was specified, process any extensions supported by this client platform, to produce the - extension data that needs to be sent to the authenticator. If an error is encountered while processing an extension, skip - that extension and do not produce any extension data for it. Call the result of this processing |clientExtensions|. + - If the {{AssertionOptions/rpId}} member of {{options}} is not present, then set |rpId| to |callerOrigin|, and + |rpIdHash| to the SHA-256 hash of |rpId|. + - If the {{AssertionOptions/rpId}} member of {{options}} is present, then invoke the procedure used for relaxing + the same-origin restriction by setting the `document.domain` attribute, using {{AssertionOptions/rpId}} as the given + value but without changing the current document's `domain`. If no errors are thrown, set |rpId| to the value of `host` + as computed by this procedure, and |rpIdHash| to the SHA-256 hash of |rpId|. Otherwise, reject |promise| with a + DOMException whose name is "SecurityError", and terminate this algorithm. + +4. If the {{AssertionOptions/extensions}} member of {{options}} is present, process any extensions supported by this + client platform, to produce the extension data that needs to be sent to the authenticator. If an error is encountered while + processing an extension, skip that extension and do not produce any extension data for it. Call the result of this + processing |clientExtensions|. 5. Use {{assertionChallenge}}, |callerOrigin| and |rpId|, along with the token binding key associated with |callerOrigin| (if any), to create a {{ClientData}} structure representing this request. Choose a hash algorithm for {{ClientData/hashAlg}} and @@ -510,15 +512,15 @@ When this method is invoked, the user agent MUST execute the following algorithm 6. Initialize |issuedRequests| to an empty list. 7. For each authenticator currently available on this platform, perform the following steps: - - If {{AssertionOptions/allowList}} is empty, let |credentialList| be an empty list. Otherwise, execute a - platform-specific procedure to determine which, if any, credentials listed in {{AssertionOptions/allowList}} might be - present on this authenticator, and set |credentialList| to this filtered list. If no such filtering is possible, set - |credentialList| to an empty list. + - If the {{AssertionOptions/allowList}} member of {{options}} is empty, let |credentialList| be an empty list. Otherwise, + execute a platform-specific procedure to determine which, if any, credentials listed in {{AssertionOptions/allowList}} + might be present on this authenticator, and set |credentialList| to this filtered list. If no such filtering is + possible, set |credentialList| to an empty list. - For each credential C within the |credentialList| that has a non-empty |transports| list, optionally use only the specified transports to get assertions using credential C. - - If the above filtering process concludes that none of the credentials on {{AssertionOptions/allowList}} can possibly be on this - authenticator, do not perform any of the following steps for this authenticator, and proceed to the next authenticator - (if any). + - If the above filtering process concludes that none of the credentials on the {{AssertionOptions/allowList}} can possibly + be on this authenticator, do not perform any of the following steps for this authenticator, and proceed to the next + authenticator (if any). - Asynchronously invoke the authenticatorGetAssertion operation on this authenticator with |rpIdHash|, clientDataHash, |credentialList|, and |clientExtensions| as parameters. - Add an entry to |issuedRequests|, corresponding to this request.