This enhancement is needed for WebAuthN to work with RP ID: https://www.w3.org/TR/webauthn/#createCredential. Specifically, Step 5-7. Here are the requests: 1. SecurityOrigin/URL needs to tell if an origin is a valid domain: https://url.spec.whatwg.org/#valid-domain. 2. SecurityOrigin/URL needs to tell if an origin is a registrable domain suffix of another origin: https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to.
<rdar://problem/43357371>
Created attachment 368655 [details] Patch
Comment on attachment 368655 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=368655&action=review > Source/WebCore/dom/Document.cpp:-4874 > - return true; I'm not sure if the call to 'isMatchingRegistrableDomainSuffix' handles this case or not. We seem to ASSERT that host() and protocol() are case-insensitively equal, but we don't actually do the test as far as I can tell. > Source/WebCore/dom/Document.cpp:-4894 > - potentialPublicSuffix.remove(0, 1); Your new code doesn't seem to have this call protection before passing 'domainSuffix' to 'isPublicSuffix'. As far as I can tell, whatever code paths might have brought a domain with a leading '.' into this code, could still happen and we are no longer protecting our call to 'isPublicSuffix'. I think we should keep this.
Comment on attachment 368655 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=368655&action=review >> Source/WebCore/dom/Document.cpp:-4874 >> - return true; > > I'm not sure if the call to 'isMatchingRegistrableDomainSuffix' handles this case or not. We seem to ASSERT that host() and protocol() are case-insensitively equal, but we don't actually do the test as far as I can tell. At the constructor of OriginAccessEntry, it will convert the newDomain to lowercase. And the SecurityOrigin itself should store every data in lowercase. That means the regular string comparison actually does this job. >> Source/WebCore/dom/Document.cpp:-4894 >> - potentialPublicSuffix.remove(0, 1); > > Your new code doesn't seem to have this call protection before passing 'domainSuffix' to 'isPublicSuffix'. As far as I can tell, whatever code paths might have brought a domain with a leading '.' into this code, could still happen and we are no longer protecting our call to 'isPublicSuffix'. I think we should keep this. If anything has a leading dot, then it shouldn't pass accessEntry.matchesOrigin().
Comment on attachment 368655 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=368655&action=review > Source/WebCore/page/SecurityOrigin.cpp:445 > + From the spec, we should return true as long as it is an exact match even if both domains are public suffix.
Created attachment 368692 [details] Patch
Comment on attachment 368692 [details] Patch r=me (Wait for EWS, please)
(In reply to Brent Fulgham from comment #7) > Comment on attachment 368692 [details] > Patch > > r=me (Wait for EWS, please) Thanks, Brent.
Comment on attachment 368692 [details] Patch Clearing flags on attachment: 368692 Committed r244853: <https://trac.webkit.org/changeset/244853>
All reviewed patches have been landed. Closing bug.