[WebAuthN] Add a quirk for google.com when processing AppID extension
authorjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 May 2019 19:15:08 +0000 (19:15 +0000)
committerjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 May 2019 19:15:08 +0000 (19:15 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196046
<rdar://problem/49088479>

Reviewed by Brent Fulgham.

Relaxing the same site restriction on AppID while in google.com and any
of its subdomains to allow two www.gstatic.com AppIDs to slip in.

Covered by manual tests on Google.com.

* Modules/webauthn/AuthenticatorCoordinator.cpp:
(WebCore::AuthenticatorCoordinatorInternal::needsAppIdQuirks):
(WebCore::AuthenticatorCoordinatorInternal::processAppIdExtension):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244879 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp

index 0b22339..2446229 100644 (file)
@@ -1,3 +1,20 @@
+2019-05-02  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthN] Add a quirk for google.com when processing AppID extension
+        https://bugs.webkit.org/show_bug.cgi?id=196046
+        <rdar://problem/49088479>
+
+        Reviewed by Brent Fulgham.
+
+        Relaxing the same site restriction on AppID while in google.com and any
+        of its subdomains to allow two www.gstatic.com AppIDs to slip in.
+
+        Covered by manual tests on Google.com.
+
+        * Modules/webauthn/AuthenticatorCoordinator.cpp:
+        (WebCore::AuthenticatorCoordinatorInternal::needsAppIdQuirks):
+        (WebCore::AuthenticatorCoordinatorInternal::processAppIdExtension):
+
 2019-05-02  Ross Kirsling  <ross.kirsling@sony.com>
 
         Unreviewed fix for non-unified build after r244853.
index 9573927..a4d20ac 100644 (file)
@@ -80,6 +80,17 @@ static Vector<uint8_t> produceClientDataJsonHash(const ArrayBuffer& clientDataJs
     return crypto->computeHash();
 }
 
+static bool needsAppIdQuirks(const String& host, const String& appId)
+{
+    // FIXME(197524): Remove this quirk in 2023. As an early adopter of U2F features, Google has a large number of
+    // existing device registrations that authenticate 'google.com' against 'gstatic.com'. Firefox and other browsers
+    // have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to
+    // allow existing Google users to seamlessly transition to proper WebAuthN behavior.
+    if (equalLettersIgnoringASCIICase(host, "google.com") || host.endsWithIgnoringASCIICase(".google.com"))
+        return (appId == "https://www.gstatic.com/securitykey/origins.json"_s) || (appId == "https://www.gstatic.com/securitykey/a/google.com/origins.json"_s);
+    return false;
+}
+
 // The following roughly implements Step 1-3 of the spec to avoid the complexity of making unnecessary network requests:
 // https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-appid-and-facets-v2.0-id-20180227.html#determining-if-a-caller-s-facetid-is-authorized-for-an-appid
 // It follows what Chrome and Firefox do, see:
@@ -96,7 +107,7 @@ static String processAppIdExtension(const SecurityOrigin& facetId, const String&
 
     // Step 3. Relax the comparison to same site.
     URL appIdURL(URL(), appId);
-    if (!appIdURL.isValid() || facetId.protocol() != appIdURL.protocol() || RegistrableDomain(appIdURL) != RegistrableDomain::uncheckedCreateFromHost(facetId.host()))
+    if (!appIdURL.isValid() || facetId.protocol() != appIdURL.protocol() || (RegistrableDomain(appIdURL) != RegistrableDomain::uncheckedCreateFromHost(facetId.host()) && !needsAppIdQuirks(facetId.host(), appId)))
         return String();
     return appId;
 }