Restrict WebAuthN to "secure and same-origin with all their ancestors"

Bug: 828958
Change-Id: Ie24fb55ddf5b8180036e830cd73ae58b0fb2ccd5
Reviewed-on: https://chromium-review.googlesource.com/994177
Commit-Queue: Kim Paulhamus <kpaulhamus@chromium.org>
Reviewed-by: Balazs Engedy <engedy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550447}

third_party/WebKit/LayoutTests/http/tests/credentialmanager/publickeycredential-same-origin-with-ancestors.html

+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+
+if (document.location.host != "subdomain.example.test:8443") {
+  document.location = "https://subdomain.example.test:8443/credentialmanager/publickeycredential-same-origin-with-ancestors.html";
+  promise_test(_ => new Promise(_ => {}), "Stall tests on the wrong host.");
+}
+
+const SAME_ORIGIN = "https://subdomain.example.test:8443";
+const CROSS_ORIGIN = "https://notexample.test:8443";
+
+const VALID_IFRAME_CASES = [
+    { 'outerOrigin': SAME_ORIGIN,
+      'innerOrigin': ''},
+    { 'outerOrigin': SAME_ORIGIN,
+      'innerOrigin': SAME_ORIGIN}
+];
+
+const INVALID_IFRAME_CASES = [
+    { 'outerOrigin': CROSS_ORIGIN,
+      'innerOrigin': ''},
+    { 'outerOrigin': SAME_ORIGIN,
+      'innerOrigin': CROSS_ORIGIN},
+    { 'outerOrigin': CROSS_ORIGIN,
+      'innerOrigin': SAME_ORIGIN},
+    { 'outerOrigin': CROSS_ORIGIN,
+      'innerOrigin': CROSS_ORIGIN},
+];
+
+const HELPER_FILES = [
+    'publickey-create-helper.html', 'publickey-get-helper.html'
+];
+
+function createNestedIframeTest(outerOrigin, innerOrigin, expectation, helperfile) {
+    return function (t) {
+        window.addEventListener("load", _ => {
+            var iframe = document.createElement("iframe");
+            if (innerOrigin) {
+                // Nested iframe
+                iframe.src = outerOrigin + "/credentialmanager/resources/echoing-nester.html?origin="
+                    + innerOrigin + "&file=" + helperfile;
+            } else {
+                iframe.src = outerOrigin + "/credentialmanager/resources/" + helperfile;
+            }
+            window.addEventListener("message", t.step_func(e => {
+                if (e.source == iframe.contentWindow) {
+                    assert_equals(e.data, expectation);
+                    t.done();
+                }
+            }));
+            document.body.appendChild(iframe);
+        });
+    };
+}
+
+for (let test of VALID_IFRAME_CASES) {
+    for (let file of HELPER_FILES) {
+        async_test(createNestedIframeTest(test.outerOrigin, test.innerOrigin, "SUCCESS", file),
+        file + " with inner origin: " + test.innerOrigin + ", outer origin: " + test.outerOrigin + "succeeds");
+    }
+}
+
+for (let test of INVALID_IFRAME_CASES) {
+    for (let file of HELPER_FILES) {
+        async_test(createNestedIframeTest(test.outerOrigin, test.innerOrigin, "NotAllowedError",file),
+        file + " with inner origin: " + test.innerOrigin + ", outer origin: " + test.outerOrigin + "fails");
+    }
+}
+
+</script>

third_party/WebKit/LayoutTests/http/tests/credentialmanager/resources/echoing-nester.html

+<body>
+  <script>
+    window.addEventListener('message', m => {
+      window.parent.postMessage(m.data, '*');
+    });
+
+    var u = new URL(window.location.href);
+    var origin = u.searchParams.has('origin') ? u.searchParams.get('origin') : window.origin;
+    var file = u.searchParams.has('file') ? u.searchParams.get('file') : 'passwordcredential-get.html';
+
+    var url = origin + "/credentialmanager/resources/" + file;
+    var i = document.createElement('iframe');
+    i.src = url;
+    document.body.appendChild(i);
+  </script>
+</body>

third_party/WebKit/LayoutTests/http/tests/credentialmanager/resources/publickey-create-helper.html

@@ -12,7 +12,7 @@ mockAuthenticator.setAttestationObject(ATTESTATION_OBJECT);
 mockAuthenticator.setAuthenticatorStatus(
     webauth.mojom.AuthenticatorStatus.SUCCESS);
 let queryParams = new URLSearchParams(window.location.search);
-let relyingPartyId = queryParams.get('rpId');
+var relyingPartyId = queryParams.has('rpId') ? queryParams.get('rpId') : document.domain;
 var customPublicKey = {
     challenge: CHALLENGE,
     rp: { id: relyingPartyId, name: "Acme" },
@@ -20,7 +20,9 @@ var customPublicKey = {
     pubKeyCredParams: PUBLIC_KEY_PARAMETERS,
 };
 
+let responder =  window.opener || window.parent;
+
 navigator.credentials.create({publicKey : customPublicKey})
-  .then(r => window.opener.postMessage("SUCCESS", "*"))
-  .catch(t => window.opener.postMessage(t.name, "*"));
+  .then(r => responder.postMessage("SUCCESS", "*"))
+  .catch(t => responder.postMessage(t.name, "*"));
 </script>

third_party/WebKit/LayoutTests/http/tests/credentialmanager/resources/publickey-get-helper.html

@@ -13,15 +13,16 @@ mockAuthenticator.setSignature(SIGNATURE);
 mockAuthenticator.setAuthenticatorStatus(
     webauth.mojom.AuthenticatorStatus.SUCCESS);
 let queryParams = new URLSearchParams(window.location.search);
-let relyingPartyId = queryParams.get('rpId');
-
+var relyingPartyId = queryParams.has('rpId') ? queryParams.get('rpId') : document.domain;
 var customPublicKey = {
     challenge: CHALLENGE,
     rpId: relyingPartyId,
     allowCredentials: [ACCEPTABLE_CREDENTIAL]
 };
 
+let responder =  window.opener || window.parent;
+
 navigator.credentials.get({publicKey : customPublicKey})
-  .then(r => window.opener.postMessage("SUCCESS", "*"))
-  .catch(t => window.opener.postMessage(t.name, "*"));
+  .then(r => responder.postMessage("SUCCESS", "*"))
+  .catch(t => responder.postMessage(t.name, "*"));
 </script>

third_party/blink/renderer/modules/credentialmanager/credentials_container.cc

@@ -124,9 +124,10 @@ bool CheckSecurityRequirementsBeforeRequest(
       !IsSameOriginWithAncestors(resolver->GetFrame())) {
     resolver->Reject(DOMException::Create(
         kNotAllowedError,
-        "`PasswordCredential` and `FederatedCredential` objects may only be "
-        "stored/retrieved in a document which is same-origin with all of its "
-        "ancestors."));
+        "The following credential operations can only occur in a document which"
+        " is same-origin with all of its ancestors: "
+        "storage/retrieval of 'PasswordCredential' and 'FederatedCredential', "
+        "and creation/retrieval of 'PublicKeyCredential'"));
     return false;
   }
 
@@ -427,10 +428,7 @@ ScriptPromise CredentialsContainer::get(
   ScriptPromiseResolver* resolver = ScriptPromiseResolver::Create(script_state);
   ScriptPromise promise = resolver->Promise();
 
-  auto required_origin_type =
-      options.hasFederated() || options.hasPassword()
-          ? RequiredOriginType::kSecureAndSameWithAncestors
-          : RequiredOriginType::kSecure;
+  auto required_origin_type = RequiredOriginType::kSecureAndSameWithAncestors;
   if (!CheckSecurityRequirementsBeforeRequest(resolver, required_origin_type))
     return promise;
 
@@ -557,7 +555,10 @@ ScriptPromise CredentialsContainer::create(
   ScriptPromiseResolver* resolver = ScriptPromiseResolver::Create(script_state);
   ScriptPromise promise = resolver->Promise();
 
-  const auto required_origin_type = RequiredOriginType::kSecure;
+  auto required_origin_type =
+      options.hasPublicKey() ? RequiredOriginType::kSecureAndSameWithAncestors
+                             : RequiredOriginType::kSecure;
+
   if (!CheckSecurityRequirementsBeforeRequest(resolver, required_origin_type))
     return promise;