Skip to content

Commit

Permalink
Make topOrigin verification backwards compatible with L2
Browse files Browse the repository at this point in the history
  • Loading branch information
@emlun
emlun committed Aug 14, 2024
1 parent 9bb78e4 commit 831db6a
Showing 1 changed file with 13 additions and 2 deletions.
15 changes: 13 additions & 2 deletions index.bs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3833,6 +3833,14 @@ Verifiers may use the following algorithm to verify an encoded {{CollectedClient
1. A string, |origin|, that contains the expected {{CollectedClientData/origin}} that issued the request to the user agent.
1. A boolean, |crossOrigin|, that is true if, and only if, the request should have been performed within a cross-origin <{iframe}>.
1. An optional string, |topOrigin|, that contains the expected {{CollectedClientData/topOrigin}} that issued the request to the user agent if |crossOrigin| is true and if available.
1. A boolean, |requireTopOrigin|, that is true if, and only if, the validation should fail
if |topOrigin| is defined and the {{CollectedClientData/topOrigin}} attribute is not present in |clientDataJSON|.

This means that the verification algorithm is backwards compatible
with the [[webauthn-2-20210408#clientdatajson-serialization|JSON-compatible serialization algorithm]]
in Web Authentication Level 2 [[webauthn-2-20210408]]
if, and only if, |requireTopOrigin| is [FALSE].

1. Let |expected| be an empty byte string.
1. Append 0x7b2274797065223a (`{"type":`) to |expected|.
1. Append [=CCDToString=](|type|) to |expected|.
Expand All @@ -3845,8 +3853,11 @@ Verifiers may use the following algorithm to verify an encoded {{CollectedClient
1. If |crossOrigin| is true:
1. Append 0x74727565 (`true`) to |expected|.
1. If |topOrigin| is defined:
1. Append 0x2c22746f704f726967696e223a (`,"topOrigin":`) to |expected|.
1. Append [=CCDToString=](|topOrigin|) to |expected|.
1. If |requireTopOrigin| is true
or if 0x2c22746f704f726967696e223a (`,"topOrigin":`) is a prefix
of the substring of |clientDataJSON| beginning at the offset equal to the length of |expected|:
1. Append 0x2c22746f704f726967696e223a (`,"topOrigin":`) to |expected|.
1. Append [=CCDToString=](|topOrigin|) to |expected|.
1. Otherwise, i.e. |crossOrigin| is false:
1. Append 0x66616c7365 (`false`) to |expected|.
1. If |expected| is not a prefix of |clientDataJSON| then the verification has failed.
Expand Down

0 comments on commit 831db6a

Please sign in to comment.