Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add indication of cross-origin operation in collectedClientData #1276

Merged
merged 6 commits into from
Nov 6, 2019
Merged

add indication of cross-origin operation in collectedClientData #1276

merged 6 commits into from
Nov 6, 2019

Conversation

equalsJeffH
Copy link
Contributor

@equalsJeffH equalsJeffH commented Aug 14, 2019
edited by pr-preview bot
Loading

fixes #1271 #911

This webauthn PR is associated with w3c/webappsec-credential-management#138. It eliminates the sameOriginWithAncestors check from both [[Create]]() and [[DiscoverFrom...]]() and instead adds the inverse of it's value to collectedClientData in the form of the crossOrigin boolean.

Cross-origin usage is now gated upon feature policy, per w3c/webappsec-credential-management#138. Credman+WebAuthn default behavior remains the same as before: allowed in same-origin contexts, disallowed in cross-origin contexts. Cross-origin usage can now be attained by the RP webdev/author by explicitly setting the publickey-credentials feature policy.

see also: w3c/webappsec-credential-management#138 (comment)

Preview | Diff

@equalsJeffH equalsJeffH added this to the L2-WD-02 milestone Aug 14, 2019
@equalsJeffH equalsJeffH self-assigned this Aug 14, 2019
@emlun emlun added the stat:Blocked Prerequisites are not yet satisfied label Aug 14, 2019
@emlun
Copy link
Member

emlun commented Aug 14, 2019

Blocked awaiting work in CredMan

emlun
emlun reviewed Aug 19, 2019
View reviewed changes
Copy link
Member

@emlun emlun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a breaking change, right?

index.bs Outdated Show resolved Hide resolved
index.bs Show resolved Hide resolved
@agl
Copy link
Contributor

agl commented Aug 19, 2019

This is a breaking change, right?

No? It allows operations that were previously forbidden, I don't think it stops anything that was previously allowed.

@ve7jtb
Copy link
Contributor

ve7jtb commented Aug 19, 2019

It shouldn't break anything. The one exception to that might be some servers that won't understand the new elements in client data. But only servers explicitly allowing this should ever see that.
This should not change anything for the normal case.

@emlun
Copy link
Member

emlun commented Aug 21, 2019

Yeah, ok, it won't break the WebAuthn API, but I was thinking it's a breaking change to the internal browser APIs. But I guess that is already the case for L2 anyway.

@equalsJeffH equalsJeffH changed the title change sameOriginWithAncestors to crossOrigin, add the latter to collectedClientData add indication of cross-origin operation in collectedClientData Oct 29, 2019
@equalsJeffH equalsJeffH mentioned this pull request Oct 29, 2019
Closed
@equalsJeffH @emlun
evauated -> evaluated
4438597 
Co-Authored-By: Emil Lundberg <emil@yubico.com>
@equalsJeffH equalsJeffH removed the stat:Blocked Prerequisites are not yet satisfied label Oct 29, 2019
@equalsJeffH
Copy link
Contributor Author

this is ready to re-review in conjunction with w3c/webappsec-credential-management#138.

Note: I've updated the original post and this PR's title to reflect the current state of things.

@equalsJeffH equalsJeffH mentioned this pull request Oct 30, 2019
Closed
@nadalin
Copy link
Contributor

nadalin commented Nov 4, 2019

@akshayku Please review so we can close this out or move it to next WD

@equalsJeffH equalsJeffH merged commit 8927216 into master Nov 6, 2019
WebAuthnBot pushed a commit that referenced this pull request Nov 6, 2019
Built by Travis-CI: 8927216 add indication of cross-origin operation …
823d230 
…in `collectedClientData` (#1276)
@emlun emlun deleted the jeffh-polish-feature-policy-handling branch November 20, 2019 10:24
@emlun
Copy link
Member

emlun commented Nov 20, 2019

Could someone help refresh my memory on this? At some point we discussed making origin a list of the origins in the hierarchy instead of just indicating cross-origin with a Boolean flag. What was the rationale for giving the RP only the innermost-embedded origin, and not the whole hierarchy?

jcjones added a commit to jcjones/webauthn that referenced this pull request Mar 24, 2020
@jcjones
Prohibit Create Credential from cross-origin iframes
c7a8576 
This reverts part of PR w3c#1276, again prohibiting the use of the Create method
when `sameOriginWithAncestors` is `false`. The `Note` is simplified, since
the integration between Credential Management and Feature Policy is now
complete.
@jcjones jcjones mentioned this pull request Mar 24, 2020
Merged
jcjones added a commit to jcjones/webauthn that referenced this pull request Mar 25, 2020
@jcjones
Prohibit Create Credential from cross-origin iframes
f43b70e 
This reverts part of PR w3c#1276, again prohibiting the use of the Create method
when `sameOriginWithAncestors` is `false`. The `Note` is simplified, since
the integration between Credential Management and Feature Policy is now
complete.
equalsJeffH added a commit that referenced this pull request Apr 9, 2020
@jcjones @equalsJeffH
Prohibit Create Credential from cross-origin iframes (#1394)
6626671 
* Prohibit Create Credential from cross-origin iframes

This reverts part of PR #1276, again prohibiting the use of the Create method
when `sameOriginWithAncestors` is `false`. The `Note` is simplified, since
the integration between Credential Management and Feature Policy is now
complete.

* Split the feature-policy definition, per review comments

* Apply suggestions from code review

Co-Authored-By: =JeffH <jdhodges@google.com>

Co-authored-by: =JeffH <jdhodges@google.com>
This was referenced Aug 7, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akshayku akshayku akshayku approved these changes

@emlun emlun emlun approved these changes

@jcjones jcjones jcjones approved these changes

@agl agl agl approved these changes

Assignees

@equalsJeffH equalsJeffH

Labels
subtype:algorithms/WebIDL subtype:credman type:technical
Projects
None yet
Milestone
L2-WD-02
Development

Successfully merging this pull request may close these issues.

add indication of embedded and cross-origin operation in collectedClientData
7 participants
@equalsJeffH @emlun @agl @ve7jtb @nadalin @jcjones @akshayku