WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
196046
[WebAuthN] Add a quirk for google.com when processing AppID extension
https://bugs.webkit.org/show_bug.cgi?id=196046
Summary
[WebAuthN] Add a quirk for google.com when processing AppID extension
Alexei Czeskis
Reported
2019-03-20 17:36:30 PDT
For historical reasons (being the first U2F implementor) Google uses a non-standard (cross-origin) AppID. The App ID is “www.gstatic.com” for logins to “google.com” and its subdomains. This bug requests an exception on the cross-origin check for valid AppIds in the case of google.com and gstatic.com. Both Chrome and Firefox already make this exception. Firefox tracking bug and implementation:
https://bugzilla.mozilla.org/show_bug.cgi?id=1436078
Chrome's implementation:
https://cs.chromium.org/chromium/src/content/browser/webauth/authenticator_common.cc?l=252&rcl=4d674f923c5a1f03b2262132cb621a3db78f7562
Attachments
Patch
(2.83 KB, patch)
2019-05-01 21:58 PDT
,
Jiewen Tan
bfulgham
: review+
bfulgham
: commit-queue-
Details
Formatted Diff
Diff
Patch for landing
(3.26 KB, patch)
2019-05-02 11:36 PDT
,
Jiewen Tan
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2019-03-20 18:13:04 PDT
<
rdar://problem/49088479
>
Jiewen Tan
Comment 2
2019-05-01 21:58:36 PDT
Created
attachment 368761
[details]
Patch
Brent Fulgham
Comment 3
2019-05-02 10:00:55 PDT
Comment on
attachment 368761
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=368761&action=review
> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 > +{
Please add a comment: " FIXME(BUG #): Remove this quirk in 2023 As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing Google users to seamlessly transition to proper WebAuthN behavior. " Then please file a bug to remove this quirk in 2023.
Jiewen Tan
Comment 4
2019-05-02 11:34:27 PDT
Comment on
attachment 368761
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=368761&action=review
>> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 >> +{ > > Please add a comment: > > " > FIXME(BUG #): Remove this quirk in 2023 > As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. > Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing > Google users to seamlessly transition to proper WebAuthN behavior. > " > > Then please file a bug to remove this quirk in 2023.
Added.
Jiewen Tan
Comment 5
2019-05-02 11:34:49 PDT
(In reply to Brent Fulgham from
comment #3
)
> Comment on
attachment 368761
[details]
> Patch > > View in context: >
https://bugs.webkit.org/attachment.cgi?id=368761&action=review
> > > Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 > > +{ > > Please add a comment: > > " > FIXME(BUG #): Remove this quirk in 2023 > As an early adopter of U2F features, Google has a large number of existing > device registrations that authenticate 'google.com' against 'gstatic.com'. > Firefox and other browsers have agreed to grant an exception to the AppId > rules for a limited time period (5 years from January, 2018) to allow > existing > Google users to seamlessly transition to proper WebAuthN behavior. > " > > Then please file a bug to remove this quirk in 2023.
Thanks Brent for r+ this patch.
Jiewen Tan
Comment 6
2019-05-02 11:36:34 PDT
Created
attachment 368798
[details]
Patch for landing
WebKit Commit Bot
Comment 7
2019-05-02 12:15:13 PDT
Comment on
attachment 368798
[details]
Patch for landing Clearing flags on attachment: 368798 Committed
r244879
: <
https://trac.webkit.org/changeset/244879
>
Simon Fraser (smfr)
Comment 8
2019-05-02 12:57:44 PDT
Comment on
attachment 368761
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=368761&action=review
>>>> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 >>>> +{ >>> >>> Please add a comment: >>> >>> " >>> FIXME(BUG #): Remove this quirk in 2023 >>> As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. >>> Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing >>> Google users to seamlessly transition to proper WebAuthN behavior. >>> " >>> >>> Then please file a bug to remove this quirk in 2023. >> >> Added. > > Thanks Brent for r+ this patch.
This needs to go through the Quirks class so that the Develop menu switch can turn it off.
Jiewen Tan
Comment 9
2019-05-02 14:04:59 PDT
(In reply to Simon Fraser (smfr) from
comment #8
)
> Comment on
attachment 368761
[details]
> Patch > > View in context: >
https://bugs.webkit.org/attachment.cgi?id=368761&action=review
> > >>>> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 > >>>> +{ > >>> > >>> Please add a comment: > >>> > >>> " > >>> FIXME(BUG #): Remove this quirk in 2023 > >>> As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. > >>> Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing > >>> Google users to seamlessly transition to proper WebAuthN behavior. > >>> " > >>> > >>> Then please file a bug to remove this quirk in 2023. > >> > >> Added. > > > > Thanks Brent for r+ this patch. > > This needs to go through the Quirks class so that the Develop menu switch > can turn it off.
I would argue it is not meaningful to turn Quirks off. Basically, the whole WebAuthentication feature will not work in Google.com if this is off.
Wenson Hsieh
Comment 10
2019-05-02 14:31:04 PDT
Comment on
attachment 368761
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=368761&action=review
>>>>>> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 >>>>>> +{ >>>>> >>>>> Please add a comment: >>>>> >>>>> " >>>>> FIXME(BUG #): Remove this quirk in 2023 >>>>> As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. >>>>> Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing >>>>> Google users to seamlessly transition to proper WebAuthN behavior. >>>>> " >>>>> >>>>> Then please file a bug to remove this quirk in 2023. >>>> >>>> Added. >>> >>> Thanks Brent for r+ this patch. >> >> This needs to go through the Quirks class so that the Develop menu switch can turn it off. > > I would argue it is not meaningful to turn Quirks off. Basically, the whole WebAuthentication feature will not work in Google.com if this is off.
I believe the utility in being able to turn off quirks is that web developers can easily test their content against the un-quirked browser engine, to make sure that their content will work when we finally remove the quirk.
Jiewen Tan
Comment 11
2019-05-02 14:37:42 PDT
(In reply to Wenson Hsieh from
comment #10
)
> Comment on
attachment 368761
[details]
> Patch > > View in context: >
https://bugs.webkit.org/attachment.cgi?id=368761&action=review
> > >>>>>> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 > >>>>>> +{ > >>>>> > >>>>> Please add a comment: > >>>>> > >>>>> " > >>>>> FIXME(BUG #): Remove this quirk in 2023 > >>>>> As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. > >>>>> Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing > >>>>> Google users to seamlessly transition to proper WebAuthN behavior. > >>>>> " > >>>>> > >>>>> Then please file a bug to remove this quirk in 2023. > >>>> > >>>> Added. > >>> > >>> Thanks Brent for r+ this patch. > >> > >> This needs to go through the Quirks class so that the Develop menu switch can turn it off. > > > > I would argue it is not meaningful to turn Quirks off. Basically, the whole WebAuthentication feature will not work in Google.com if this is off. > > I believe the utility in being able to turn off quirks is that web > developers can easily test their content against the un-quirked browser > engine, to make sure that their content will work when we finally remove the > quirk.
I don't think they would have any un-quirked version. I probably shouldn't name this as quirks.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug