Add security consideration: Code injection attacks

This addresses issue #1731. See: #1731
w3c · May 26, 2022 · e08a231 · e08a231
1 parent 4442cb3
commit e08a231
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/index.bs b/index.bs
@@ -6898,6 +6898,41 @@ This issue is similar to the one described in [[#sctn-username-enumeration]]
 and [[#sctn-credential-id-privacy-leak]], and can be mitigated in similar ways.
 
 
+### Code injection attacks ### {#sctn-code-injection}
+
+Any malicious code executing on an
+[=determines the set of origins on which the public key credential may be exercised|origin=]
+within the [=scope=] of a [=[RP]=]' [=public key credentials=]
+has the potential to invalidate any and all security guarantees WebAuthn may provide.
+[=[WAC]s=] only expose the WebAuthn API in [=secure contexts=],
+which mitigates the most basic attacks but SHOULD be combined with additional precautions by [=[RPS]=].
+
+Code injection can happen in several ways;
+this section attempts to point out some likely scenarios and suggest suitable mitigations,
+but is not an exhaustive list.
+
+  - Malicous code could be injected by a third-party script included by the [=[RP]=],
+    either intentionally or due to a security vulnerability in the third party.
+
+    The [=[RP]=] therefore SHOULD limit the amount of third-party script included on the
+    [=determines the set of origins on which the public key credential may be exercised|origins=]
+    within the [=scope=] of its [=credentials=].
+
+    The [=[RP]=] SHOULD use Content Security Policy [[!CSP2]],
+    and/or other appropriate technologies available at the time, to limit what script can run on its
+    [=determines the set of origins on which the public key credential may be exercised|origins=].
+
+  - Malicious code could, by the credential [=scope=] rules, be hosted on a subdomain of the [=RP ID=].
+    For example, user-submitted code hosted on `usercontent.example.org`
+    could exercise any [=credentials=] [=scoped=] to the [=RP ID=] `example.org`.
+    Malicious code could use this to launch a [=man-in-the-middle attack=]
+    to obtain valid [=authentication assertions=] and impersonate the victims of the attack.
+
+    The [=[RP]=] therefore MUST NOT serve untrusted code on any subdomain of any
+    [=determines the set of origins on which the public key credential may be exercised|origin=]
+    within the [=scope=] of its [=public key credentials=].
+
+
 # Privacy Considerations # {#sctn-privacy-considerations}
 
 The privacy principles in [[!FIDO-Privacy-Principles]] also apply to this specification.