Reject cross-origin requests in processCreate and processGet#125
Open
ScottHelme wants to merge 1 commit into
Open
Reject cross-origin requests in processCreate and processGet#125ScottHelme wants to merge 1 commit into
ScottHelme wants to merge 1 commit into
Conversation
Per the proposed Level 3 spec (§7.1 Step 10, §7.2 Step 13), reject ceremonies where clientDataJSON.crossOrigin is true. This prevents an attacker from embedding a legitimate site's WebAuthn ceremony in a cross-origin iframe on a malicious domain. The check is backwards-compatible: crossOrigin is optional in the spec, so clients that don't send it are unaffected. Fixes lbuchs#124
Author
|
Just a heads-up for anyone landing here: we've published a security-focused fork of this library as report-uri/passkeys-php It already includes this fix, along with several other hardening changes. Huge thanks to @lbuchs for the original work! This PR is still very much open for upstream consideration, but the fork is available in the meantime for anyone who needs the change today. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Per the proposed Level 3 spec (§7.1 Step 10 for registration, §7.2 Step 13 for authentication), if
clientDataJSON.crossOriginistrue, the ceremony should be rejected.Currently the library does not check this field at all, which means a cross-origin iframe embedding a legitimate site's WebAuthn ceremony would succeed.
This adds a check in both
processCreate()andprocessGet(), after the existing origin validation:The check is backwards-compatible —
crossOriginis optional in the spec, so existing clients that don't send it are unaffected. Only explicitly cross-origin requests are rejected.Fixes #124