Commit 918351a0 authored by Martin Kreichgauer's avatar Martin Kreichgauer Committed by Commit Bot

fido: remove trailing "/" when defaulting the App ID to caller origin

In [0], the U2F spec says to default the App ID to the originating site's Facet
ID, which is (with some ambiguity) defined as the origin followed by a forward
slash [1]. Firefox and cryptotoken, on the other hand, default the App ID to just
the origin without any trailing path component. This change aligns Chrome's
behavior for App IDs in WebAuthn with that of cryptotoken and Firefox.

Also adds a check to ensure requests originating from cryptotoken do not have
an empty App ID because they cannot be defaulted in any meaningful way.

[0] https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid
[1] https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-the-facetid-of-a-calling-application

Change-Id: Iab2c18f03fb92a150b00a56a1c39490e52188e0e
Reviewed-on: https://chromium-review.googlesource.com/c/1356223
Commit-Queue: Martin Kreichgauer <martinkr@chromium.org>
Reviewed-by: default avatarAdam Langley <agl@chromium.org>
Cr-Commit-Position: refs/heads/master@{#612533}
parent 9bebd3a8
...@@ -305,8 +305,21 @@ base::Optional<std::string> ProcessAppIdExtension( ...@@ -305,8 +305,21 @@ base::Optional<std::string> ProcessAppIdExtension(
std::string appid, std::string appid,
const url::Origin& caller_origin) { const url::Origin& caller_origin) {
if (appid.empty()) { if (appid.empty()) {
// See step two in the comments in |IsAppIdAllowedForOrigin|. if (OriginIsCryptoTokenExtension(caller_origin)) {
appid = caller_origin.Serialize() + "/"; // Cryptotoken must always set an App ID.
DCHECK(false);
return base::nullopt;
}
// While the U2F spec says to default the App ID to the Facet ID, which is
// the origin plus a trailing forward slash [1], cryptotoken and Firefox
// just use the site's Origin without trailing slash. We follow their
// implementations rather than the spec.
//
// [1]https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-the-facetid-of-a-calling-application
//
// Also see step two in the comments in |IsAppIdAllowedForOrigin|.
appid = caller_origin.Serialize();
} }
GURL appid_url = GURL(appid); GURL appid_url = GURL(appid);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment