Summary: | [WebAuthN] Add a quirk for google.com when processing AppID extension | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Alexei Czeskis <aczeskis> | ||||||
Component: | Platform | Assignee: | Jiewen Tan <jiewen_tan> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | alex.gaynor, bfulgham, commit-queue, jiewen_tan, simon.fraser, webkit-bug-importer, wenson_hsieh | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Nightly Build | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Bug Depends on: | |||||||||
Bug Blocks: | 181943 | ||||||||
Attachments: |
|
Description
Alexei Czeskis
2019-03-20 17:36:30 PDT
Created attachment 368761 [details]
Patch
Comment on attachment 368761 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=368761&action=review > Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 > +{ Please add a comment: " FIXME(BUG #): Remove this quirk in 2023 As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing Google users to seamlessly transition to proper WebAuthN behavior. " Then please file a bug to remove this quirk in 2023. Comment on attachment 368761 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=368761&action=review >> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 >> +{ > > Please add a comment: > > " > FIXME(BUG #): Remove this quirk in 2023 > As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. > Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing > Google users to seamlessly transition to proper WebAuthN behavior. > " > > Then please file a bug to remove this quirk in 2023. Added. (In reply to Brent Fulgham from comment #3) > Comment on attachment 368761 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=368761&action=review > > > Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 > > +{ > > Please add a comment: > > " > FIXME(BUG #): Remove this quirk in 2023 > As an early adopter of U2F features, Google has a large number of existing > device registrations that authenticate 'google.com' against 'gstatic.com'. > Firefox and other browsers have agreed to grant an exception to the AppId > rules for a limited time period (5 years from January, 2018) to allow > existing > Google users to seamlessly transition to proper WebAuthN behavior. > " > > Then please file a bug to remove this quirk in 2023. Thanks Brent for r+ this patch. Created attachment 368798 [details]
Patch for landing
Comment on attachment 368798 [details] Patch for landing Clearing flags on attachment: 368798 Committed r244879: <https://trac.webkit.org/changeset/244879> Comment on attachment 368761 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=368761&action=review >>>> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 >>>> +{ >>> >>> Please add a comment: >>> >>> " >>> FIXME(BUG #): Remove this quirk in 2023 >>> As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. >>> Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing >>> Google users to seamlessly transition to proper WebAuthN behavior. >>> " >>> >>> Then please file a bug to remove this quirk in 2023. >> >> Added. > > Thanks Brent for r+ this patch. This needs to go through the Quirks class so that the Develop menu switch can turn it off. (In reply to Simon Fraser (smfr) from comment #8) > Comment on attachment 368761 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=368761&action=review > > >>>> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 > >>>> +{ > >>> > >>> Please add a comment: > >>> > >>> " > >>> FIXME(BUG #): Remove this quirk in 2023 > >>> As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. > >>> Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing > >>> Google users to seamlessly transition to proper WebAuthN behavior. > >>> " > >>> > >>> Then please file a bug to remove this quirk in 2023. > >> > >> Added. > > > > Thanks Brent for r+ this patch. > > This needs to go through the Quirks class so that the Develop menu switch > can turn it off. I would argue it is not meaningful to turn Quirks off. Basically, the whole WebAuthentication feature will not work in Google.com if this is off. Comment on attachment 368761 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=368761&action=review >>>>>> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 >>>>>> +{ >>>>> >>>>> Please add a comment: >>>>> >>>>> " >>>>> FIXME(BUG #): Remove this quirk in 2023 >>>>> As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. >>>>> Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing >>>>> Google users to seamlessly transition to proper WebAuthN behavior. >>>>> " >>>>> >>>>> Then please file a bug to remove this quirk in 2023. >>>> >>>> Added. >>> >>> Thanks Brent for r+ this patch. >> >> This needs to go through the Quirks class so that the Develop menu switch can turn it off. > > I would argue it is not meaningful to turn Quirks off. Basically, the whole WebAuthentication feature will not work in Google.com if this is off. I believe the utility in being able to turn off quirks is that web developers can easily test their content against the un-quirked browser engine, to make sure that their content will work when we finally remove the quirk. (In reply to Wenson Hsieh from comment #10) > Comment on attachment 368761 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=368761&action=review > > >>>>>> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 > >>>>>> +{ > >>>>> > >>>>> Please add a comment: > >>>>> > >>>>> " > >>>>> FIXME(BUG #): Remove this quirk in 2023 > >>>>> As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. > >>>>> Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing > >>>>> Google users to seamlessly transition to proper WebAuthN behavior. > >>>>> " > >>>>> > >>>>> Then please file a bug to remove this quirk in 2023. > >>>> > >>>> Added. > >>> > >>> Thanks Brent for r+ this patch. > >> > >> This needs to go through the Quirks class so that the Develop menu switch can turn it off. > > > > I would argue it is not meaningful to turn Quirks off. Basically, the whole WebAuthentication feature will not work in Google.com if this is off. > > I believe the utility in being able to turn off quirks is that web > developers can easily test their content against the un-quirked browser > engine, to make sure that their content will work when we finally remove the > quirk. I don't think they would have any un-quirked version. I probably shouldn't name this as quirks. |