Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redirected Icon Validation #1139

Closed
akshayku opened this issue Jan 17, 2019 · 5 comments
Closed

Redirected Icon Validation #1139

akshayku opened this issue Jan 17, 2019 · 5 comments
Milestone
L2-WD-01

Comments

@akshayku
Copy link
Contributor

akshayku commented Jan 17, 2019
edited
Loading

Currently Icon in the spec is marked as "This URL MUST be an a priori authenticated URL." and currently FIDO2/WebAuthN conformance tests includes a test where icon supplied by the test is a redirected HTTPS URL to an HTTP URL and expects an error from the browser during MakeCredential/Create call.

But there is no protection for this icon to be from the same origin and can be used to fool the user. For example, a bad RP uses well known image to fool the user. Another issue with redirected URLs is that they can change over time. So, in our opinion, they must only be checked when actually shown/rendered to the user.

We, at Microsoft, due to security reasons, don't support Icon fetching at our platform when we do the multiple account selection UI where this icon can be rendered and is applicable. This is applicable for platform as well as external security keys case. As and when if we decide to support this, we will do the validations at that point and ignore these redirected HTTPS to HTTP url. So there is no security issue as of now w.r.t these URLs as we don't support them for now.

So IMO, this test should be removed from the makeCredential/Create layer and should only apply to the platforms if and when they are actually using it during multiple accounts selection UI at getAssertion/Get call..
@akshayku
Copy link
Contributor Author

@christiaanbrand / @agl, What do you guys do in your platform?

@akshayku akshayku added this to the L2-WD-00 milestone Jan 17, 2019
@agl
Copy link
Contributor

agl commented Jan 17, 2019

We do not currently process icons, so have no applicable behaviour here. However, if we did, I don't think that we would be comfortable fetching the icon when displaying the account chooser because that would disclose to the network and server that a given account was displayed. So we would likely try to fetch and cache the icon at registration time, perhaps turning it into a data URL. Likewise, we would not look kindly on a redirect to HTTP.

@akshayku
Copy link
Contributor Author

Thanks @agl. That would be another way.

@herrjemand , Looks like both Windows and Android platforms are not processing/supporting icons. And this test only makes sense if platforms supported icon is any manner. So we can either remove the test or not treat passing this test mandatory if a platform does not support icons.

@yackermann
Copy link
Contributor

Okay, I agree that this test is not applicable at this moment.

@akshayku
Copy link
Contributor Author

Thanks Yuriy.

@lgarron lgarron mentioned this issue Aug 23, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
L2-WD-01
Development

No branches or pull requests
3 participants
@agl @yackermann @akshayku