From 5ecbf2876fa7f327338d71e05e3ff115334ec327 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Wed, 26 Jul 2023 17:51:44 +0200 Subject: [PATCH] Explain why RP origin validation helps even with scoping rules --- index.bs | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/index.bs b/index.bs index ddc56db2d..d412da2c1 100644 --- a/index.bs +++ b/index.bs @@ -8347,6 +8347,14 @@ When [registering a credential](#rp-op-registering-a-new-credential-step-origin) when [verifying an assertion](#rp-op-verifying-assertion-step-origin), the [=[RP]=] MUST validate the {{CollectedClientData/origin}} member of the [=client data=]. +The [=[RP]=] MUST NOT accept unexpected values of {{CollectedClientData/origin}}, +as doing so could allow a malicious website to obtain valid [=credentials=]. +Although the [=scope=] of [=WebAuthn credentials=] prevents their use on domains +outside the [=RP ID=] they were registered for, +the [=[RP]=]'s origin validation serves as an additional layer of protection +in case a faulty [=authenticator=] fails to enforce credential [=scope=]. +See also [[#sctn-code-injection]] for discussion of potentially malicious subdomains. + Validation MAY be performed by exact string matching or any other method as needed by the [=[RP]=]. For example: @@ -8373,11 +8381,6 @@ For example: {{CollectedClientData/origin}} exactly equals some element of the list ["https://example.org", "example-os:appid:204ffa1a5af110ac483f131a1bef8a841a7adb0d8d135908bbd964ed05d2653b"]. -In order to prevent [=man-in-the-middle attacks=], -the [=[RP]=] MUST NOT accept unexpected values of {{CollectedClientData/origin}}, -as doing so could allow a malicious website to obtain valid [=credentials=]. -See [[#sctn-code-injection]] for further discussion. - Similar considerations apply when validating the {{CollectedClientData/topOrigin}} member of the [=client data=]. When {{CollectedClientData/topOrigin}} is present, the [=[RP]=] MUST validate that its value is expected. This validation MAY be performed by exact string matching or any other method as needed by the [=[RP]=].