fido: remove trailing "/" when defaulting the App ID to caller origin

In [0], the U2F spec says to default the App ID to the originating site's Facet ID, which is (with some ambiguity) defined as the origin followed by a forward slash [1]. Firefox and cryptotoken, on the other hand, default the App ID to just the origin without any trailing path component. This change aligns Chrome's behavior for App IDs in WebAuthn with that of cryptotoken and Firefox. Also adds a check to ensure requests originating from cryptotoken do not have an empty App ID because they cannot be defaulted in any meaningful way. [0] https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid [1] https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-the-facetid-of-a-calling-application Change-Id: Iab2c18f03fb92a150b00a56a1c39490e52188e0e Reviewed-on: https://chromium-review.googlesource.com/c/1356223 Commit-Queue: Martin Kreichgauer <martinkr@chromium.org> Reviewed-by: Adam Langley <agl@chromium.org> Cr-Commit-Position: refs/heads/master@{#612533}

fido: remove trailing "/" when defaulting the App ID to caller origin
In [0], the U2F spec says to default the App ID to the originating site's Facet ID, which is (with some ambiguity) defined as the origin followed by a forward slash [1]. Firefox and cryptotoken, on the other hand, default the App ID to just the origin without any trailing path component. This change aligns Chrome's behavior for App IDs in WebAuthn with that of cryptotoken and Firefox. Also adds a check to ensure requests originating from cryptotoken do not have an empty App ID because they cannot be defaulted in any meaningful way. [0] https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid [1] https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-the-facetid-of-a-calling-application Change-Id: Iab2c18f03fb92a150b00a56a1c39490e52188e0e Reviewed-on: https://chromium-review.googlesource.com/c/1356223 Commit-Queue: Martin Kreichgauer <martinkr@chromium.org> Reviewed-by: Adam Langley <agl@chromium.org> Cr-Commit-Position: refs/heads/master@{#612533}
918351a0 · Martin Kreichgauer · Commit Bot · 9bebd3a8 · 918351a0
Commit 918351a0 authored Nov 30, 2018 by Martin Kreichgauer Committed by Commit Bot Nov 30, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 2 deletions

content/browser/webauth/authenticator_impl.cc content/browser/webauth/authenticator_impl.cc +15 -2

No files found.
--- a/content/browser/webauth/authenticator_impl.cc
+++ b/content/browser/webauth/authenticator_impl.cc
@@ -305,8 +305,21 @@ base::Optional<std::string> ProcessAppIdExtension(
    std::string appid,
    const url::Origin& caller_origin) {
  if (appid.empty()) {
-    // See step two in the comments in |IsAppIdAllowedForOrigin|.
-    appid = caller_origin.Serialize() + "/";
+    if (OriginIsCryptoTokenExtension(caller_origin)) {
+      // Cryptotoken must always set an App ID.
+      DCHECK(false);
+      return base::nullopt;
+    }
+
+    // While the U2F spec says to default the App ID to the Facet ID, which is
+    // the origin plus a trailing forward slash [1], cryptotoken and Firefox
+    // just use the site's Origin without trailing slash. We follow their
+    // implementations rather than the spec.
+    //
+    // [1]https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-the-facetid-of-a-calling-application
+    //
+    // Also see step two in the comments in |IsAppIdAllowedForOrigin|.
+    appid = caller_origin.Serialize();
  }

  GURL appid_url = GURL(appid);