Diff
Modified: trunk/LayoutTests/ChangeLog (291017 => 291018)
--- trunk/LayoutTests/ChangeLog 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/LayoutTests/ChangeLog 2022-03-08 23:51:45 UTC (rev 291018)
@@ -1,3 +1,19 @@
+2022-03-08 J Pascoe <j_pas...@apple.com>
+
+ [WebAuthn] Using WebAuthn within cross-origin iframe elements
+ https://bugs.webkit.org/show_bug.cgi?id=222240
+ rdar://problem/74830748
+
+ Reviewed by Brent Fulgham.
+
+ Update existing tests and create new test for cross-origin, non same-site i-frames.
+
+ * http/wpt/webauthn/public-key-credential-cross-origin.https-expected.txt: Added.
+ * http/wpt/webauthn/public-key-credential-cross-origin.https.html: Added.
+ * http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https-expected.txt:
+ * http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https.html:
+ * http/wpt/webauthn/resources/public-key-credential-cross-origin.https.html: Added.
+
2022-03-08 Chris Fleizach <cfleiz...@apple.com>
AX: Speech Synthesis no longer returning list of voices in macOS 12.3
Added: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-cross-origin.https-expected.txt (0 => 291018)
--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-cross-origin.https-expected.txt (rev 0)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-cross-origin.https-expected.txt 2022-03-08 23:51:45 UTC (rev 291018)
@@ -0,0 +1,4 @@
+
+
+PASS Tests that a frame that is cross-origin, NOT same-site with publickey-credentials-get feature policy can use get().
+
Added: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-cross-origin.https.html (0 => 291018)
--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-cross-origin.https.html (rev 0)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-cross-origin.https.html 2022-03-08 23:51:45 UTC (rev 291018)
@@ -0,0 +1,8 @@
+<!DOCTYPE html><!-- webkit-test-runner [ WebAuthenticationModernEnabled=false ] -->
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+ location="https://127.0.0.1:9443/WebKit/webauthn/resources/public-key-credential-cross-origin.https.html"
+</script>
Modified: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https-expected.txt (291017 => 291018)
--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https-expected.txt 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https-expected.txt 2022-03-08 23:51:45 UTC (rev 291018)
@@ -4,5 +4,5 @@
PASS Tests that a frame that doesn't share the same origin with all its ancestors could not access the API. 2
PASS Tests that a frame that is same-site, cross-origin without publickey-credentials-get feature policy cannot use get().
PASS Tests that a frame that is same-site, cross-origin with publickey-credentials-get feature policy can use get().
-PASS Tests that a frame that is cross-origin, NOT same-site with publickey-credentials-get feature policy cannot use get().
+PASS Tests that a frame using an ip address that is cross-origin, NOT same-site with publickey-credentials-get feature policy cannot use get().
Modified: trunk/LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https.html (291017 => 291018)
--- trunk/LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https.html 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/LayoutTests/http/wpt/webauthn/public-key-credential-same-origin-with-ancestors.https.html 2022-03-08 23:51:45 UTC (rev 291018)
@@ -1,4 +1,4 @@
-<!DOCTYPE html><!-- webkit-test-runner [ WebAuthenticationModernEnabled=true ] -->
+<!DOCTYPE html><!-- webkit-test-runner [ WebAuthenticationModernEnabled=false ] -->
<html>
<head>
<meta charset="utf-8">
@@ -37,9 +37,9 @@
promise_test(t => {
return withCrossOriginIframe("samesite-iframe.html", "publickey-credentials-get").then((message) => {
- assert_equals(message.data, "Throw NotAllowedError: The origin of the document is not the same as its ancestors.");
+ assert_equals(message.data, "Throw SecurityError: The effective domain of the document is not a valid domain.");
});
- }, "Tests that a frame that is cross-origin, NOT same-site with publickey-credentials-get feature policy cannot use get().");
+ }, "Tests that a frame using an ip address that is cross-origin, NOT same-site with publickey-credentials-get feature policy cannot use get().");
</script>
</body>
</html>
Added: trunk/LayoutTests/http/wpt/webauthn/resources/public-key-credential-cross-origin.https.html (0 => 291018)
--- trunk/LayoutTests/http/wpt/webauthn/resources/public-key-credential-cross-origin.https.html (rev 0)
+++ trunk/LayoutTests/http/wpt/webauthn/resources/public-key-credential-cross-origin.https.html 2022-03-08 23:51:45 UTC (rev 291018)
@@ -0,0 +1,22 @@
+<!DOCTYPE html><!-- webkit-test-runner [ WebAuthenticationModernEnabled=false ] -->
+<html>
+<head>
+ <meta charset="utf-8">
+ <title>Web Authentication API: Tests that a frame that is cross-origin with feature policy can access the API.</title>
+ <script src=""
+ <script src=""
+ <script src=""
+ <script src=""
+ <script src=""
+</head>
+<body>
+ <script>
+ promise_test(t => {
+ // localhost is cross-origin here.
+ return withSameSiteIframe("samesite-iframe.html", "publickey-credentials-get").then((message) => {
+ assert_equals(message.data, "PASS!");
+ });
+ }, "Tests that a frame that is cross-origin, NOT same-site with publickey-credentials-get feature policy can use get().");
+ </script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (291017 => 291018)
--- trunk/Source/WebCore/ChangeLog 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebCore/ChangeLog 2022-03-08 23:51:45 UTC (rev 291018)
@@ -1,3 +1,32 @@
+2022-03-08 J Pascoe <j_pas...@apple.com>
+
+ [WebAuthn] Using WebAuthn within cross-origin iframe elements
+ https://bugs.webkit.org/show_bug.cgi?id=222240
+ rdar://problem/74830748
+
+ Reviewed by Brent Fulgham.
+
+ This patch relaxes the requirement to perform a Web Authentication assertion
+ inside an i-frame with the "publickey-credentials-get" feature policy from
+ 'same-site' to 'cross-origin with consent'.
+
+ There is an additional requirement that there is only a single cross-origin
+ parent to present to the user in the prompt. If we can't display the updated
+ prompt, then cross-origin assertions are not allowed.
+
+ Test: http/wpt/webauthn/public-key-credential-cross-origin.https.html
+
+ * Modules/credentialmanagement/CredentialsContainer.cpp:
+ (WebCore::CredentialsContainer::scopeAndSingleParent):
+ (WebCore::CredentialsContainer::get):
+ (WebCore::CredentialsContainer::isCreate):
+ (WebCore::CredentialsContainer::scope): Deleted.
+ * Modules/credentialmanagement/CredentialsContainer.h:
+ * Modules/webauthn/AuthenticatorCoordinator.cpp:
+ (WebCore::AuthenticatorCoordinator::discoverFromExternalSource const):
+ * Modules/webauthn/AuthenticatorCoordinator.h:
+ * Modules/webauthn/AuthenticatorCoordinatorClient.h:
+
2022-03-08 Chris Dumez <cdu...@apple.com>
Rename allow-custom-protocols-navigation to allow-top-navigation-to-custom-protocols
Modified: trunk/Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp (291017 => 291018)
--- trunk/Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebCore/Modules/credentialmanagement/CredentialsContainer.cpp 2022-03-08 23:51:45 UTC (rev 291018)
@@ -46,27 +46,27 @@
{
}
-WebAuthn::Scope CredentialsContainer::scope()
+ScopeAndCrossOriginParent CredentialsContainer::scopeAndCrossOriginParent() const
{
if (!m_document)
- return WebAuthn::Scope::CrossOrigin;
+ return std::pair { WebAuthn::Scope::CrossOrigin, std::nullopt };
- bool isSameOrigin = true;
bool isSameSite = true;
auto& origin = m_document->securityOrigin();
auto& url = ""
+ std::optional<SecurityOriginData> crossOriginParent;
for (auto* document = m_document->parentDocument(); document; document = document->parentDocument()) {
if (!origin.isSameOriginDomain(document->securityOrigin()) && !areRegistrableDomainsEqual(url, document->url()))
isSameSite = false;
- if (!origin.isSameOriginAs(document->securityOrigin()))
- isSameOrigin = false;
+ if (!crossOriginParent && !origin.isSameOriginAs(document->securityOrigin()))
+ crossOriginParent = origin.data();
}
- if (isSameOrigin)
- return WebAuthn::Scope::SameOrigin;
+ if (!crossOriginParent)
+ return std::pair { WebAuthn::Scope::SameOrigin, std::nullopt };
if (isSameSite)
- return WebAuthn::Scope::SameSite;
- return WebAuthn::Scope::CrossOrigin;
+ return std::pair { WebAuthn::Scope::SameSite, std::nullopt };
+ return std::pair { WebAuthn::Scope::CrossOrigin, crossOriginParent };
}
void CredentialsContainer::get(CredentialRequestOptions&& options, CredentialPromise&& promise)
@@ -98,7 +98,7 @@
return;
}
- m_document->page()->authenticatorCoordinator().discoverFromExternalSource(*m_document, WTFMove(options), scope(), WTFMove(promise));
+ m_document->page()->authenticatorCoordinator().discoverFromExternalSource(*m_document, WTFMove(options), scopeAndCrossOriginParent(), WTFMove(promise));
}
void CredentialsContainer::store(const BasicCredential&, CredentialPromise&& promise)
@@ -133,7 +133,7 @@
return;
}
- m_document->page()->authenticatorCoordinator().create(*m_document, options.publicKey.value(), scope(), WTFMove(options.signal), WTFMove(promise));
+ m_document->page()->authenticatorCoordinator().create(*m_document, options.publicKey.value(), scopeAndCrossOriginParent().first, WTFMove(options.signal), WTFMove(promise));
}
void CredentialsContainer::preventSilentAccess(DOMPromiseDeferred<void>&& promise) const
Modified: trunk/Source/WebCore/Modules/credentialmanagement/CredentialsContainer.h (291017 => 291018)
--- trunk/Source/WebCore/Modules/credentialmanagement/CredentialsContainer.h 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebCore/Modules/credentialmanagement/CredentialsContainer.h 2022-03-08 23:51:45 UTC (rev 291018)
@@ -58,7 +58,7 @@
private:
CredentialsContainer(WeakPtr<Document>&&);
- WebAuthn::Scope scope();
+ ScopeAndCrossOriginParent scopeAndCrossOriginParent() const;
WeakPtr<Document> m_document;
};
Modified: trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp (291017 => 291018)
--- trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp 2022-03-08 23:51:45 UTC (rev 291018)
@@ -184,7 +184,7 @@
m_client->makeCredential(*frame, callerOrigin, clientDataJsonHash, options, WTFMove(callback));
}
-void AuthenticatorCoordinator::discoverFromExternalSource(const Document& document, CredentialRequestOptions&& requestOptions, WebAuthn::Scope scope, CredentialPromise&& promise) const
+void AuthenticatorCoordinator::discoverFromExternalSource(const Document& document, CredentialRequestOptions&& requestOptions, const ScopeAndCrossOriginParent& scopeAndCrossOriginParent, CredentialPromise&& promise) const
{
using namespace AuthenticatorCoordinatorInternal;
@@ -195,8 +195,8 @@
// The following implements https://www.w3.org/TR/webauthn/#createCredential as of 5 December 2017.
// Step 1, 3, 13 are handled by the caller.
// Step 2.
- // This implements https://www.w3.org/TR/webauthn-2/#sctn-permissions-policy except only same-site, cross-origin is permitted.
- if (scope != WebAuthn::Scope::SameOrigin && !(scope == WebAuthn::Scope::SameSite && isFeaturePolicyAllowedByDocumentAndAllOwners(FeaturePolicy::Type::PublickeyCredentialsGetRule, document, LogFeaturePolicyFailure::No))) {
+ // This implements https://www.w3.org/TR/webauthn-2/#sctn-permissions-policy
+ if (scopeAndCrossOriginParent.first != WebAuthn::Scope::SameOrigin && !isFeaturePolicyAllowedByDocumentAndAllOwners(FeaturePolicy::Type::PublickeyCredentialsGetRule, document, LogFeaturePolicyFailure::No)) {
promise.reject(Exception { NotAllowedError, "The origin of the document is not the same as its ancestors."_s });
return;
}
@@ -230,7 +230,7 @@
}
// Step 10-12.
- auto clientDataJson = buildClientDataJson(ClientDataType::Get, options.challenge, callerOrigin, scope);
+ auto clientDataJson = buildClientDataJson(ClientDataType::Get, options.challenge, callerOrigin, scopeAndCrossOriginParent.first);
auto clientDataJsonHash = buildClientDataJsonHash(clientDataJson);
// Step 4, 14-19.
@@ -254,7 +254,7 @@
promise.reject(exception.toException());
};
// Async operations are dispatched and handled in the messenger.
- m_client->getAssertion(*frame, callerOrigin, clientDataJsonHash, options, requestOptions.mediation, WTFMove(callback));
+ m_client->getAssertion(*frame, callerOrigin, clientDataJsonHash, options, requestOptions.mediation, scopeAndCrossOriginParent, WTFMove(callback));
}
void AuthenticatorCoordinator::isUserVerifyingPlatformAuthenticatorAvailable(DOMPromiseDeferred<IDLBoolean>&& promise) const
Modified: trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.h (291017 => 291018)
--- trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.h 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.h 2022-03-08 23:51:45 UTC (rev 291018)
@@ -45,10 +45,12 @@
struct PublicKeyCredentialCreationOptions;
struct PublicKeyCredentialRequestOptions;
struct CredentialRequestOptions;
+struct SecurityOriginData;
template<typename IDLType> class DOMPromiseDeferred;
using CredentialPromise = DOMPromiseDeferred<IDLNullable<IDLInterface<BasicCredential>>>;
+using ScopeAndCrossOriginParent = std::pair<WebAuthn::Scope, std::optional<SecurityOriginData>>;
class AuthenticatorCoordinator final {
WTF_MAKE_FAST_ALLOCATED;
@@ -59,7 +61,7 @@
// The following methods implement static methods of PublicKeyCredential.
void create(const Document&, const PublicKeyCredentialCreationOptions&, WebAuthn::Scope, RefPtr<AbortSignal>&&, CredentialPromise&&) const;
- void discoverFromExternalSource(const Document&, CredentialRequestOptions&&, WebAuthn::Scope, CredentialPromise&&) const;
+ void discoverFromExternalSource(const Document&, CredentialRequestOptions&&, const ScopeAndCrossOriginParent&, CredentialPromise&&) const;
void isUserVerifyingPlatformAuthenticatorAvailable(DOMPromiseDeferred<IDLBoolean>&&) const;
void isConditionalMediationAvailable(DOMPromiseDeferred<IDLBoolean>&&) const;
Modified: trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinatorClient.h (291017 => 291018)
--- trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinatorClient.h 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebCore/Modules/webauthn/AuthenticatorCoordinatorClient.h 2022-03-08 23:51:45 UTC (rev 291018)
@@ -27,10 +27,15 @@
#if ENABLE(WEB_AUTHN)
+#include "AuthenticatorCoordinator.h"
#include "ExceptionData.h"
#include <wtf/CompletionHandler.h>
#include <wtf/WeakPtr.h>
+namespace WebAuthn {
+enum class Scope;
+}
+
namespace WebCore {
class DeferredPromise;
@@ -43,6 +48,7 @@
struct AuthenticatorResponseData;
struct PublicKeyCredentialCreationOptions;
struct PublicKeyCredentialRequestOptions;
+struct SecurityOriginData;
using RequestCompletionHandler = CompletionHandler<void(WebCore::AuthenticatorResponseData&&, WebCore::AuthenticatorAttachment, WebCore::ExceptionData&&)>;
using QueryCompletionHandler = CompletionHandler<void(bool)>;
@@ -55,7 +61,7 @@
virtual ~AuthenticatorCoordinatorClient() = default;
virtual void makeCredential(const Frame&, const SecurityOrigin&, const Vector<uint8_t>&, const PublicKeyCredentialCreationOptions&, RequestCompletionHandler&&) = 0;
- virtual void getAssertion(const Frame&, const SecurityOrigin&, const Vector<uint8_t>&, const PublicKeyCredentialRequestOptions&, MediationRequirement, RequestCompletionHandler&&) = 0;
+ virtual void getAssertion(const Frame&, const SecurityOrigin&, const Vector<uint8_t>&, const PublicKeyCredentialRequestOptions&, MediationRequirement, const ScopeAndCrossOriginParent&, RequestCompletionHandler&&) = 0;
virtual void isConditionalMediationAvailable(QueryCompletionHandler&&) = 0;
virtual void isUserVerifyingPlatformAuthenticatorAvailable(QueryCompletionHandler&&) = 0;
Modified: trunk/Source/WebKit/ChangeLog (291017 => 291018)
--- trunk/Source/WebKit/ChangeLog 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebKit/ChangeLog 2022-03-08 23:51:45 UTC (rev 291018)
@@ -1,3 +1,35 @@
+2022-03-08 J Pascoe <j_pas...@apple.com>
+
+ [WebAuthn] Using WebAuthn within cross-origin iframe elements
+ https://bugs.webkit.org/show_bug.cgi?id=222240
+ rdar://problem/74830748
+
+ Reviewed by Brent Fulgham.
+
+ This patch relaxes the requirement to perform a Web Authentication assertion
+ inside an i-frame with the "publickey-credentials-get" feature policy from
+ 'same-site' to 'cross-origin with consent'.
+
+ There is an additional requirement that there is only a single cross-origin
+ parent to present to the user in the prompt. If we can't display the updated
+ prompt, then cross-origin assertions are not allowed.
+
+ * Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h:
+ * UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm:
+ (WebKit::configureAssertionOptions):
+ (WebKit::configurationAssertionRequestContext):
+ (WebKit::WebAuthenticatorCoordinatorProxy::contextForRequest):
+ * UIProcess/WebAuthentication/WebAuthenticationRequestData.h:
+ * UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp:
+ (WebKit::WebAuthenticatorCoordinatorProxy::makeCredential):
+ (WebKit::WebAuthenticatorCoordinatorProxy::getAssertion):
+ (WebKit::WebAuthenticatorCoordinatorProxy::handleRequest):
+ * UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h:
+ * UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.messages.in:
+ * WebProcess/WebAuthentication/WebAuthenticatorCoordinator.cpp:
+ (WebKit::WebAuthenticatorCoordinator::getAssertion):
+ * WebProcess/WebAuthentication/WebAuthenticatorCoordinator.h:
+
2022-03-08 Chris Dumez <cdu...@apple.com>
Rename allow-custom-protocols-navigation to allow-top-navigation-to-custom-protocols
Modified: trunk/Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h (291017 => 291018)
--- trunk/Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebKit/Platform/spi/Cocoa/AuthenticationServicesCoreSPI.h 2022-03-08 23:51:45 UTC (rev 291018)
@@ -167,6 +167,8 @@
@property (nonatomic, nullable, readonly, copy) NSArray<ASCPublicKeyCredentialDescriptor *> *allowedCredentials;
+@property (nonatomic, nullable, copy) NSString *destinationSiteForCrossSiteAssertion;
+
@end
Modified: trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm (291017 => 291018)
--- trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebKit/UIProcess/API/Cocoa/_WKWebAuthenticationPanel.mm 2022-03-08 23:51:45 UTC (rev 291018)
@@ -822,7 +822,7 @@
handler(nil, [NSError errorWithDomain:WKErrorDomain code:exception.code userInfo:@{ NSLocalizedDescriptionKey: exception.message }]);
});
};
- _panel->handleRequest({ WTFMove(hash), [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt }, WTFMove(callback));
+ _panel->handleRequest({ WTFMove(hash), [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(callback));
#endif
}
@@ -836,7 +836,7 @@
handler(nil, [NSError errorWithDomain:WKErrorDomain code:exception.code userInfo:@{ NSLocalizedDescriptionKey: exception.message }]);
});
};
- _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt }, WTFMove(callback));
+ _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreCreationOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(callback));
#endif
}
@@ -886,7 +886,7 @@
handler(nil, [NSError errorWithDomain:WKErrorDomain code:WKErrorUnknown userInfo:nil]);
});
};
- _panel->handleRequest({ WTFMove(hash), [_WKWebAuthenticationPanel convertToCoreRequestOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt }, WTFMove(callback));
+ _panel->handleRequest({ WTFMove(hash), [_WKWebAuthenticationPanel convertToCoreRequestOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(callback));
#endif
}
@@ -900,7 +900,7 @@
handler(nil, [NSError errorWithDomain:WKErrorDomain code:WKErrorUnknown userInfo:nil]);
});
};
- _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreRequestOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt }, WTFMove(callback));
+ _panel->handleRequest({ vectorFromNSData(clientDataHash), [_WKWebAuthenticationPanel convertToCoreRequestOptionsWithOptions:options], nullptr, WebKit::WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, true, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(callback));
#endif
}
Modified: trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm (291017 => 291018)
--- trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm 2022-03-08 23:51:45 UTC (rev 291018)
@@ -172,8 +172,18 @@
return nil;
}
-static RetainPtr<ASCCredentialRequestContext> configureRegistrationRequestContext(const PublicKeyCredentialCreationOptions& options, Vector<uint8_t> hash)
+static inline void setGlobalFrameIDForContext(RetainPtr<ASCCredentialRequestContext> requestContext, std::optional<WebCore::GlobalFrameIdentifier> globalFrameID)
{
+ if (globalFrameID && [requestContext respondsToSelector:@selector(setGlobalFrameID:)]) {
+ auto ascGlobalFrameID = adoptNS([allocASCGlobalFrameIdentifierInstance() init]);
+ ascGlobalFrameID.get().webFrameID = [NSNumber numberWithUnsignedLong:globalFrameID->frameID.toUInt64()];
+ ascGlobalFrameID.get().webPageID = [NSNumber numberWithUnsignedLong:globalFrameID->pageID.toUInt64()];
+ requestContext.get().globalFrameID = ascGlobalFrameID.get();
+ }
+}
+
+static RetainPtr<ASCCredentialRequestContext> configureRegistrationRequestContext(const PublicKeyCredentialCreationOptions& options, const Vector<uint8_t>& hash, std::optional<WebCore::GlobalFrameIdentifier> globalFrameID)
+{
ASCCredentialRequestTypes requestTypes = ASCCredentialRequestTypePlatformPublicKeyRegistration | ASCCredentialRequestTypeSecurityKeyPublicKeyRegistration;
RetainPtr<NSString> userVerification;
@@ -193,6 +203,7 @@
auto requestContext = adoptNS([allocASCCredentialRequestContextInstance() initWithRequestTypes:requestTypes]);
[requestContext setRelyingPartyIdentifier:options.rp.id];
+ setGlobalFrameIDForContext(requestContext, globalFrameID);
auto credentialCreationOptions = adoptNS([allocASCPublicKeyCredentialCreationOptionsInstance() init]);
@@ -236,8 +247,27 @@
return requestContext;
}
-static RetainPtr<ASCCredentialRequestContext> configurationAssertionRequestContext(const PublicKeyCredentialRequestOptions& options, Vector<uint8_t> hash, std::optional<WebCore::MediationRequirement> mediation, std::optional<WebCore::GlobalFrameIdentifier> globalFrameID)
+static inline RetainPtr<ASCPublicKeyCredentialAssertionOptions> configureAssertionOptions(const PublicKeyCredentialRequestOptions& options, const Vector<uint8_t>& hash, ASCPublicKeyCredentialKind kind, const std::optional<SecurityOriginData>& parentOrigin, RetainPtr<NSMutableArray<ASCPublicKeyCredentialDescriptor *>> allowedCredentials, RetainPtr<NSString> userVerification)
{
+ auto assertionOptions = adoptNS(allocASCPublicKeyCredentialAssertionOptionsInstance());
+ if ([assertionOptions respondsToSelector:@selector(initWithKind:relyingPartyIdentifier:clientDataHash:userVerificationPreference:allowedCredentials:)]) {
+ auto nsHash = toNSData(hash);
+ [assertionOptions initWithKind:ASCPublicKeyCredentialKindPlatform relyingPartyIdentifier:options.rpId clientDataHash:nsHash.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
+ } else {
+ auto challenge = WebCore::toNSData(options.challenge);
+ [assertionOptions initWithKind:ASCPublicKeyCredentialKindPlatform relyingPartyIdentifier:options.rpId challenge:challenge.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
+ }
+ if (options.extensions && [assertionOptions respondsToSelector:@selector(setExtensions:)])
+ [assertionOptions setExtensions:toASCExtensions(*options.extensions).get()];
+ if (parentOrigin && [assertionOptions respondsToSelector:@selector(setDestinationSiteForCrossSiteAssertion:)])
+ assertionOptions.get().destinationSiteForCrossSiteAssertion = parentOrigin->toString();
+ else if (parentOrigin && ![assertionOptions respondsToSelector:@selector(setDestinationSiteForCrossSiteAssertion:)])
+ return nil;
+ return assertionOptions;
+}
+
+static RetainPtr<ASCCredentialRequestContext> configurationAssertionRequestContext(const PublicKeyCredentialRequestOptions& options, const Vector<uint8_t>& hash, std::optional<WebCore::MediationRequirement> mediation, std::optional<WebCore::GlobalFrameIdentifier> globalFrameID, std::optional<WebCore::SecurityOriginData>& parentOrigin)
+{
ASCCredentialRequestTypes requestTypes = ASCCredentialRequestTypePlatformPublicKeyAssertion | ASCCredentialRequestTypeSecurityKeyPublicKeyAssertion;
RetainPtr<NSString> userVerification;
@@ -262,40 +292,19 @@
[requestContext setRelyingPartyIdentifier:options.rpId];
if (mediation == MediationRequirement::Conditional && [requestContext respondsToSelector:@selector(setRequestStyle:)])
requestContext.get().requestStyle = ASCredentialRequestStyleAutoFill;
- if (globalFrameID && [requestContext respondsToSelector:@selector(setGlobalFrameID:)]) {
- auto ascGlobalFrameID = adoptNS([allocASCGlobalFrameIdentifierInstance() init]);
- ascGlobalFrameID.get().webFrameID = [NSNumber numberWithUnsignedLong:globalFrameID->frameID.toUInt64()];
- ascGlobalFrameID.get().webPageID = [NSNumber numberWithUnsignedLong:globalFrameID->pageID.toUInt64()];
- requestContext.get().globalFrameID = ascGlobalFrameID.get();
- }
+ setGlobalFrameIDForContext(requestContext, globalFrameID);
if (requestTypes & ASCCredentialRequestTypePlatformPublicKeyAssertion) {
- auto assertionOptions = adoptNS(allocASCPublicKeyCredentialAssertionOptionsInstance());
- if ([assertionOptions respondsToSelector:@selector(initWithKind:relyingPartyIdentifier:clientDataHash:userVerificationPreference:allowedCredentials:)]) {
- auto nsHash = toNSData(hash);
- [assertionOptions initWithKind:ASCPublicKeyCredentialKindPlatform relyingPartyIdentifier:options.rpId clientDataHash:nsHash.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
- } else {
- auto challenge = WebCore::toNSData(options.challenge);
- [assertionOptions initWithKind:ASCPublicKeyCredentialKindPlatform relyingPartyIdentifier:options.rpId challenge:challenge.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
- }
- if (options.extensions && [assertionOptions respondsToSelector:@selector(setExtensions:)])
- [assertionOptions setExtensions:toASCExtensions(*options.extensions).get()];
-
+ auto assertionOptions = configureAssertionOptions(options, hash, ASCPublicKeyCredentialKindPlatform, parentOrigin, allowedCredentials, userVerification);
+ if (!assertionOptions)
+ return nil;
[requestContext setPlatformKeyCredentialAssertionOptions:assertionOptions.get()];
}
if (requestTypes & ASCCredentialRequestTypeSecurityKeyPublicKeyAssertion) {
- auto assertionOptions = adoptNS(allocASCPublicKeyCredentialAssertionOptionsInstance());
- if ([assertionOptions respondsToSelector:@selector(initWithKind:relyingPartyIdentifier:clientDataHash:userVerificationPreference:allowedCredentials:)]) {
- auto nsHash = toNSData(hash);
- [assertionOptions initWithKind:ASCPublicKeyCredentialKindSecurityKey relyingPartyIdentifier:options.rpId clientDataHash:nsHash.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
- } else {
- auto challenge = WebCore::toNSData(options.challenge);
- [assertionOptions initWithKind:ASCPublicKeyCredentialKindSecurityKey relyingPartyIdentifier:options.rpId challenge:challenge.get() userVerificationPreference:userVerification.get() allowedCredentials:allowedCredentials.get()];
- }
- if (options.extensions && [assertionOptions respondsToSelector:@selector(setExtensions:)])
- [assertionOptions setExtensions:toASCExtensions(*options.extensions).get()];
-
+ auto assertionOptions = configureAssertionOptions(options, hash, ASCPublicKeyCredentialKindSecurityKey, parentOrigin, allowedCredentials, userVerification);
+ if (!assertionOptions)
+ return nil;
[requestContext setSecurityKeyCredentialAssertionOptions:assertionOptions.get()];
}
@@ -306,9 +315,9 @@
{
RetainPtr<ASCCredentialRequestContext> result;
WTF::switchOn(requestData.options, [&](const PublicKeyCredentialCreationOptions& options) {
- result = configureRegistrationRequestContext(options, requestData.hash);
+ result = configureRegistrationRequestContext(options, requestData.hash, requestData.globalFrameID);
}, [&](const PublicKeyCredentialRequestOptions& options) {
- result = configurationAssertionRequestContext(options, requestData.hash, requestData.mediation, requestData.globalFrameID);
+ result = configurationAssertionRequestContext(options, requestData.hash, requestData.mediation, requestData.globalFrameID, requestData.parentOrigin);
});
return result;
}
Modified: trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticationRequestData.h (291017 => 291018)
--- trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticationRequestData.h 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticationRequestData.h 2022-03-08 23:51:45 UTC (rev 291018)
@@ -39,6 +39,10 @@
#include <wtf/Vector.h>
#include <wtf/WeakPtr.h>
+namespace WebCore {
+struct SecurityOriginData;
+}
+
namespace WebKit {
class WebPageProxy;
@@ -58,6 +62,7 @@
String cachedPin; // Only used to improve NFC Client PIN experience.
WeakPtr<API::WebAuthenticationPanel> weakPanel;
std::optional<WebCore::MediationRequirement> mediation;
+ std::optional<WebCore::SecurityOriginData> parentOrigin;
};
WebCore::ClientDataType getClientDataType(const std::variant<WebCore::PublicKeyCredentialCreationOptions, WebCore::PublicKeyCredentialRequestOptions>&);
Modified: trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp (291017 => 291018)
--- trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.cpp 2022-03-08 23:51:45 UTC (rev 291018)
@@ -58,12 +58,12 @@
void WebAuthenticatorCoordinatorProxy::makeCredential(FrameIdentifier frameId, FrameInfoData&& frameInfo, Vector<uint8_t>&& hash, PublicKeyCredentialCreationOptions&& options, bool processingUserGesture, RequestCompletionHandler&& handler)
{
- handleRequest({ WTFMove(hash), WTFMove(options), m_webPageProxy, WebAuthenticationPanelResult::Unavailable, nullptr, GlobalFrameIdentifier { m_webPageProxy.webPageID(), frameId }, WTFMove(frameInfo), processingUserGesture, String(), nullptr, std::nullopt }, WTFMove(handler));
+ handleRequest({ WTFMove(hash), WTFMove(options), m_webPageProxy, WebAuthenticationPanelResult::Unavailable, nullptr, GlobalFrameIdentifier { m_webPageProxy.webPageID(), frameId }, WTFMove(frameInfo), processingUserGesture, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(handler));
}
-void WebAuthenticatorCoordinatorProxy::getAssertion(FrameIdentifier frameId, FrameInfoData&& frameInfo, Vector<uint8_t>&& hash, PublicKeyCredentialRequestOptions&& options, MediationRequirement mediation, bool processingUserGesture, RequestCompletionHandler&& handler)
+void WebAuthenticatorCoordinatorProxy::getAssertion(FrameIdentifier frameId, FrameInfoData&& frameInfo, Vector<uint8_t>&& hash, PublicKeyCredentialRequestOptions&& options, MediationRequirement mediation, std::optional<WebCore::SecurityOriginData> parentOrigin, bool processingUserGesture, RequestCompletionHandler&& handler)
{
- handleRequest({ WTFMove(hash), WTFMove(options), m_webPageProxy, WebAuthenticationPanelResult::Unavailable, nullptr, GlobalFrameIdentifier { m_webPageProxy.webPageID(), frameId }, WTFMove(frameInfo), processingUserGesture, String(), nullptr, mediation }, WTFMove(handler));
+ handleRequest({ WTFMove(hash), WTFMove(options), m_webPageProxy, WebAuthenticationPanelResult::Unavailable, nullptr, GlobalFrameIdentifier { m_webPageProxy.webPageID(), frameId }, WTFMove(frameInfo), processingUserGesture, String(), nullptr, mediation, parentOrigin }, WTFMove(handler));
}
void WebAuthenticatorCoordinatorProxy::handleRequest(WebAuthenticationRequestData&& data, RequestCompletionHandler&& handler)
@@ -74,13 +74,22 @@
auto& authenticatorManager = m_webPageProxy.websiteDataStore().authenticatorManager();
if (result) {
#if HAVE(UNIFIED_ASC_AUTH_UI)
- if (!authenticatorManager.isMock() && !authenticatorManager.isVirtual()) {
- auto context = contextForRequest(WTFMove(data));
- // performRequest calls out to ASCAgent which will then call [_WKWebAuthenticationPanel makeCredential/getAssertionWithChallenge]
- // which calls authenticatorManager.handleRequest(..)
- performRequest(context, WTFMove(handler));
+ if (!authenticatorManager.isMock() && !authenticatorManager.isVirtual()) {
+ auto context = contextForRequest(WTFMove(data));
+ if (context.get() == nullptr) {
+ handler({ }, (AuthenticatorAttachment)0, ExceptionData { NotAllowedError, "The origin of the document is not the same as its ancestors."_s });
return;
}
+ // performRequest calls out to ASCAgent which will then call [_WKWebAuthenticationPanel makeCredential/getAssertionWithChallenge]
+ // which calls authenticatorManager.handleRequest(..)
+ performRequest(context, WTFMove(handler));
+ return;
+ }
+#else
+ if (data.parentOrigin && !authenticatorManager.isMock() && !authenticatorManager.isVirtual()) {
+ handler({ }, (AuthenticatorAttachment)0, ExceptionData { NotAllowedError, "The origin of the document is not the same as its ancestors."_s });
+ return;
+ }
#endif // HAVE(UNIFIED_ASC_AUTH_UI)
authenticatorManager.handleRequest(WTFMove(data), [handler = WTFMove(handler)] (std::variant<Ref<AuthenticatorResponse>, ExceptionData>&& result) mutable {
Modified: trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h (291017 => 291018)
--- trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h 2022-03-08 23:51:45 UTC (rev 291018)
@@ -71,7 +71,7 @@
// Receivers.
void makeCredential(WebCore::FrameIdentifier, FrameInfoData&&, Vector<uint8_t>&& hash, WebCore::PublicKeyCredentialCreationOptions&&, bool processingUserGesture, RequestCompletionHandler&&);
- void getAssertion(WebCore::FrameIdentifier, FrameInfoData&&, Vector<uint8_t>&& hash, WebCore::PublicKeyCredentialRequestOptions&&, WebCore::CredentialRequestOptions::MediationRequirement, bool processingUserGesture, RequestCompletionHandler&&);
+ void getAssertion(WebCore::FrameIdentifier, FrameInfoData&&, Vector<uint8_t>&& hash, WebCore::PublicKeyCredentialRequestOptions&&, WebCore::CredentialRequestOptions::MediationRequirement, std::optional<WebCore::SecurityOriginData>, bool processingUserGesture, RequestCompletionHandler&&);
void isUserVerifyingPlatformAuthenticatorAvailable(QueryCompletionHandler&&);
void isConditionalMediationAvailable(QueryCompletionHandler&&);
Modified: trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.messages.in (291017 => 291018)
--- trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.messages.in 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.messages.in 2022-03-08 23:51:45 UTC (rev 291018)
@@ -27,7 +27,7 @@
messages -> WebAuthenticatorCoordinatorProxy NotRefCounted {
MakeCredential(WebCore::FrameIdentifier frameID, struct WebKit::FrameInfoData frameInfo, Vector<uint8_t> hash, struct WebCore::PublicKeyCredentialCreationOptions options, bool processingUserGesture) -> (struct WebCore::AuthenticatorResponseData data, enum:int WebCore::AuthenticatorAttachment attachment, struct WebCore::ExceptionData exception)
- GetAssertion(WebCore::FrameIdentifier frameID, struct WebKit::FrameInfoData frameInfo, Vector<uint8_t> hash, struct WebCore::PublicKeyCredentialRequestOptions options, enum:uint8_t WebCore::CredentialRequestOptions::MediationRequirement mediation, bool processingUserGesture) -> (struct WebCore::AuthenticatorResponseData data, enum:int WebCore::AuthenticatorAttachment attachment, struct WebCore::ExceptionData exception)
+ GetAssertion(WebCore::FrameIdentifier frameID, struct WebKit::FrameInfoData frameInfo, Vector<uint8_t> hash, struct WebCore::PublicKeyCredentialRequestOptions options, enum:uint8_t WebCore::CredentialRequestOptions::MediationRequirement mediation, std::optional<WebCore::SecurityOriginData> parentOrigin, bool processingUserGesture) -> (struct WebCore::AuthenticatorResponseData data, enum:int WebCore::AuthenticatorAttachment attachment, struct WebCore::ExceptionData exception)
isConditionalMediationAvailable() -> (bool result)
IsUserVerifyingPlatformAuthenticatorAvailable() -> (bool result)
}
Modified: trunk/Source/WebKit/WebAuthnProcess/WebAuthnConnectionToWebProcess.cpp (291017 => 291018)
--- trunk/Source/WebKit/WebAuthnProcess/WebAuthnConnectionToWebProcess.cpp 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebKit/WebAuthnProcess/WebAuthnConnectionToWebProcess.cpp 2022-03-08 23:51:45 UTC (rev 291018)
@@ -96,12 +96,12 @@
void WebAuthnConnectionToWebProcess::makeCredential(Vector<uint8_t>&& hash, PublicKeyCredentialCreationOptions&& options, bool processingUserGesture, RequestCompletionHandler&& handler)
{
- handleRequest({ WTFMove(hash), WTFMove(options), nullptr, WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, processingUserGesture, String(), nullptr, std::nullopt }, WTFMove(handler));
+ handleRequest({ WTFMove(hash), WTFMove(options), nullptr, WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, processingUserGesture, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(handler));
}
void WebAuthnConnectionToWebProcess::getAssertion(Vector<uint8_t>&& hash, PublicKeyCredentialRequestOptions&& options, bool processingUserGesture, RequestCompletionHandler&& handler)
{
- handleRequest({ WTFMove(hash), WTFMove(options), nullptr, WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, processingUserGesture, String(), nullptr, std::nullopt }, WTFMove(handler));
+ handleRequest({ WTFMove(hash), WTFMove(options), nullptr, WebAuthenticationPanelResult::Unavailable, nullptr, std::nullopt, { }, processingUserGesture, String(), nullptr, std::nullopt, std::nullopt }, WTFMove(handler));
}
void WebAuthnConnectionToWebProcess::handleRequest(WebAuthenticationRequestData&& data, RequestCompletionHandler&& handler)
Modified: trunk/Source/WebKit/WebProcess/WebAuthentication/WebAuthenticatorCoordinator.cpp (291017 => 291018)
--- trunk/Source/WebKit/WebProcess/WebAuthentication/WebAuthenticatorCoordinator.cpp 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebKit/WebProcess/WebAuthentication/WebAuthenticatorCoordinator.cpp 2022-03-08 23:51:45 UTC (rev 291018)
@@ -46,6 +46,7 @@
#include <WebCore/RuntimeEnabledFeatures.h>
#include <WebCore/SecurityOrigin.h>
#include <WebCore/UserGestureIndicator.h>
+#include <WebCore/WebAuthenticationConstants.h>
#undef WEBAUTHN_RELEASE_LOG
#define PAGE_ID (m_webPage.identifier().toUInt64())
@@ -93,7 +94,7 @@
WebProcess::singleton().ensureWebAuthnProcessConnection().connection().sendWithAsyncReply(Messages::WebAuthnConnectionToWebProcess::MakeCredential(hash, options, isProcessingUserGesture), WTFMove(handler));
}
-void WebAuthenticatorCoordinator::getAssertion(const Frame& frame, const SecurityOrigin&, const Vector<uint8_t>& hash, const PublicKeyCredentialRequestOptions& options, MediationRequirement mediation, RequestCompletionHandler&& handler)
+void WebAuthenticatorCoordinator::getAssertion(const Frame& frame, const SecurityOrigin&, const Vector<uint8_t>& hash, const PublicKeyCredentialRequestOptions& options, MediationRequirement mediation, const ScopeAndCrossOriginParent& scopeAndCrossOriginParent, RequestCompletionHandler&& handler)
{
auto* webFrame = WebFrame::fromCoreFrame(frame);
if (!webFrame)
@@ -106,9 +107,13 @@
bool useWebAuthnProcess = RuntimeEnabledFeatures::sharedFeatures().webAuthenticationModernEnabled();
#endif
if (!useWebAuthnProcess) {
- m_webPage.sendWithAsyncReply(Messages::WebAuthenticatorCoordinatorProxy::GetAssertion(webFrame->frameID(), webFrame->info(), hash, options, mediation, isProcessingUserGesture), WTFMove(handler));
+ m_webPage.sendWithAsyncReply(Messages::WebAuthenticatorCoordinatorProxy::GetAssertion(webFrame->frameID(), webFrame->info(), hash, options, mediation, scopeAndCrossOriginParent.second, isProcessingUserGesture), WTFMove(handler));
return;
}
+ if (scopeAndCrossOriginParent.first == WebAuthn::Scope::CrossOrigin) {
+ handler({ }, (AuthenticatorAttachment)0, ExceptionData { NotAllowedError, "The origin of the document is not the same as its ancestors."_s });
+ return;
+ }
if (!isWebBrowser()) {
WEBAUTHN_RELEASE_LOG_ERROR("getAssertion: The 'navigator.credentials.get' API is only permitted in applications with the 'com.apple.developer.web-browser' entitlement.");
Modified: trunk/Source/WebKit/WebProcess/WebAuthentication/WebAuthenticatorCoordinator.h (291017 => 291018)
--- trunk/Source/WebKit/WebProcess/WebAuthentication/WebAuthenticatorCoordinator.h 2022-03-08 23:27:30 UTC (rev 291017)
+++ trunk/Source/WebKit/WebProcess/WebAuthentication/WebAuthenticatorCoordinator.h 2022-03-08 23:51:45 UTC (rev 291018)
@@ -41,7 +41,7 @@
private:
// WebCore::AuthenticatorCoordinatorClient
void makeCredential(const WebCore::Frame&, const WebCore::SecurityOrigin&, const Vector<uint8_t>&, const WebCore::PublicKeyCredentialCreationOptions&, WebCore::RequestCompletionHandler&&) final;
- void getAssertion(const WebCore::Frame&, const WebCore::SecurityOrigin&, const Vector<uint8_t>& hash, const WebCore::PublicKeyCredentialRequestOptions&, WebCore::MediationRequirement, WebCore::RequestCompletionHandler&&) final;
+ void getAssertion(const WebCore::Frame&, const WebCore::SecurityOrigin&, const Vector<uint8_t>& hash, const WebCore::PublicKeyCredentialRequestOptions&, WebCore::MediationRequirement, const std::pair<WebAuthn::Scope, std::optional<WebCore::SecurityOriginData>>&, WebCore::RequestCompletionHandler&&) final;
void isConditionalMediationAvailable(WebCore::QueryCompletionHandler&&) final;
void isUserVerifyingPlatformAuthenticatorAvailable(WebCore::QueryCompletionHandler&&) final;
void resetUserGestureRequirement() final { m_requireUserGesture = false; }
