Should redirects be allowed?

w3c / webappsec-passkey-endpoints

A well-known URL for passkey relying party endpoints

https://w3c.github.io/webappsec-passkey-endpoints/

Other

4 stars 2 forks source link

Should redirects be allowed? #2

Open timcappalli opened 10 months ago

timcappalli commented 10 months ago

The current spec text explicitly forbids returning redirects (301/302). A few early adopters are using redirects.

I've noticed two distinct patterns:

Redirection of all bare domain requests to www (e.g. https://myco.com/.well-known/... >>> https://www.myco.com/.well-known/...)
Redirection to a service-like domain (e.g. https://myco.com/.well-known/... >>> https://mycoobjects.com/.well-known/...)

I've also seen a combo of both (double redirect): bare >> www >>> service

Pattern 1 is typically just due to the default configuration of the web server redirecting all requests to www. Exceptions can typically be added to these rewrite rules.

Progdrasil commented 10 months ago

I'll add my 2-cents that redirects that follow pattern 2 will most likely not be followed by 1Password for security reasons.

irew commented 10 months ago

The Apple requirements for this are:

You must host the file using https:// with a valid certificate and with no redirects.

And Android has the following requirements:

The assetlinks.json file is served with content-type application/json.

The assetlinks.json file must be accessible over an HTTPS connection, regardless of whether your app's intent filters declare HTTPS as the data scheme.

The assetlinks.json file must be accessible without any redirects (no 301 or 302 redirects).

If your app links support multiple host domains, then you must publish the assetlinks.json file on each domain. See Supporting app linking for multiple hosts.

If RPs are going to support mobile apps, perhaps it makes sense to have the same requirements in order to prep them for that? Or do we expect RPs that don't support mobile apps to require more freedom to host this in the way they want/need?

agl commented 10 months ago

We've heard from RPs that supporting redirects for passkey assetlinks.json fetches was important to them. In GMS Core beta you'll find that redirects are followed as long as they are all HTTPS URLs.

Progdrasil commented 10 months ago

I'd be curious to know the use cases of an App not giving the direct URL to the asset links

agl commented 10 months ago

I'd be curious to know the use cases of an App not giving the direct URL to the asset links

The RP ID is usually the bare domain (example.com) but the infrastructure of several RPs is such that they can only serve redirects from their bare domain and all content serving happens from a subdomain.

Progdrasil commented 10 months ago

The RPID yes, but when checking assetlinks from an app we get it from its manifest, they should be able to provide a direct link from the manifest. As long as the rpId matches the TLD+x of that url it should be fine.