Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CollectedClientData.crossOrigin not referenced in RP ops #2113

Open
emlun opened this issue Aug 7, 2024 · 1 comment · May be fixed by #2166
Open

CollectedClientData.crossOrigin not referenced in RP ops #2113

emlun opened this issue Aug 7, 2024 · 1 comment · May be fixed by #2166
Assignees
@emlun
Labels
@Risk Items that are at risk for L3 stat:pr-open type:technical
Milestone
L3-WD-02

Comments

@emlun
Copy link
Member

emlun commented Aug 7, 2024
edited
Loading

Both §7. WebAuthn Relying Party Operations instructs to validate CollectedClientData.origin and .topOrigin (if present), but do not reference crossOrigin at all.

Proposed Change

Add a step to verify crossOrigin in the RP operations. For example:
@emlun emlun self-assigned this Aug 7, 2024
@emlun emlun changed the title CollectedClientData.crossOrigin not referenced in RP CollectedClientData.crossOrigin not referenced in RP ops Aug 7, 2024
@zacknewman
Copy link
Contributor

zacknewman commented Aug 7, 2024
edited
Loading

Serialization requires crossOrigin, so the conditional "if" is not needed:

If C.crossOrigin is set to true, verify that the Relying Party expects that this credential would have been created within an iframe that is not same-origin with its ancestors.

Related, should topOrigin validation be a sub-step since it should never be set when crossOrigin is false?

@nadalin nadalin added this to the L3-WD-02 milestone Sep 11, 2024
@nadalin nadalin added @Risk Items that are at risk for L3 and removed subtype:rp-ops labels Sep 11, 2024
@emlun emlun linked a pull request Oct 1, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emlun emlun

Labels
@Risk Items that are at risk for L3 stat:pr-open type:technical
Projects
None yet
Milestone
L3-WD-02
Development

Successfully merging a pull request may close this issue.

Validate CollectedClientData.crossOrigin in RP ops w3c/webauthn
3 participants
@emlun @nadalin @zacknewman