CollectedClientData.crossOrigin not referenced in RP ops

w3c / webauthn

Web Authentication: An API for accessing Public Key Credentials

https://w3c.github.io/webauthn/

Other

1.19k stars 172 forks source link

CollectedClientData.crossOrigin not referenced in RP ops #2113

Closed emlun closed 3 weeks ago

emlun commented 3 months ago

Both §7. WebAuthn Relying Party Operations instructs to validate CollectedClientData.origin and .topOrigin (if present), but do not reference crossOrigin at all.

Proposed Change

Add a step to verify crossOrigin in the RP operations. For example:

If C.crossOrigin is present and set to true, verify that the Relying Party expects that this credential would have been created within an iframe that is not same-origin with its ancestors.

zacknewman commented 3 months ago

Serialization requires crossOrigin, so the conditional "if" is not needed:

If C.crossOrigin is set to true, verify that the Relying Party expects that this credential would have been created within an iframe that is not same-origin with its ancestors.

Related, should topOrigin validation be a sub-step since it should never be set when crossOrigin is false?