RESOLVED FIXED 196046
[WebAuthN] Add a quirk for google.com when processing AppID extension
https://bugs.webkit.org/show_bug.cgi?id=196046
Summary [WebAuthN] Add a quirk for google.com when processing AppID extension
Alexei Czeskis
Reported 2019-03-20 17:36:30 PDT
For historical reasons (being the first U2F implementor) Google uses a non-standard (cross-origin) AppID. The App ID is “www.gstatic.com” for logins to “google.com” and its subdomains. This bug requests an exception on the cross-origin check for valid AppIds in the case of google.com and gstatic.com. Both Chrome and Firefox already make this exception. Firefox tracking bug and implementation: https://bugzilla.mozilla.org/show_bug.cgi?id=1436078 Chrome's implementation: https://cs.chromium.org/chromium/src/content/browser/webauth/authenticator_common.cc?l=252&rcl=4d674f923c5a1f03b2262132cb621a3db78f7562
Attachments
Patch (2.83 KB, patch)
2019-05-01 21:58 PDT, Jiewen Tan
bfulgham: review+
bfulgham: commit-queue-
Patch for landing (3.26 KB, patch)
2019-05-02 11:36 PDT, Jiewen Tan
no flags
Radar WebKit Bug Importer
Comment 1 2019-03-20 18:13:04 PDT
Jiewen Tan
Comment 2 2019-05-01 21:58:36 PDT
Brent Fulgham
Comment 3 2019-05-02 10:00:55 PDT
Comment on attachment 368761 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=368761&action=review > Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 > +{ Please add a comment: " FIXME(BUG #): Remove this quirk in 2023 As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing Google users to seamlessly transition to proper WebAuthN behavior. " Then please file a bug to remove this quirk in 2023.
Jiewen Tan
Comment 4 2019-05-02 11:34:27 PDT
Comment on attachment 368761 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=368761&action=review >> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 >> +{ > > Please add a comment: > > " > FIXME(BUG #): Remove this quirk in 2023 > As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. > Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing > Google users to seamlessly transition to proper WebAuthN behavior. > " > > Then please file a bug to remove this quirk in 2023. Added.
Jiewen Tan
Comment 5 2019-05-02 11:34:49 PDT
(In reply to Brent Fulgham from comment #3) > Comment on attachment 368761 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=368761&action=review > > > Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 > > +{ > > Please add a comment: > > " > FIXME(BUG #): Remove this quirk in 2023 > As an early adopter of U2F features, Google has a large number of existing > device registrations that authenticate 'google.com' against 'gstatic.com'. > Firefox and other browsers have agreed to grant an exception to the AppId > rules for a limited time period (5 years from January, 2018) to allow > existing > Google users to seamlessly transition to proper WebAuthN behavior. > " > > Then please file a bug to remove this quirk in 2023. Thanks Brent for r+ this patch.
Jiewen Tan
Comment 6 2019-05-02 11:36:34 PDT
Created attachment 368798 [details] Patch for landing
WebKit Commit Bot
Comment 7 2019-05-02 12:15:13 PDT
Comment on attachment 368798 [details] Patch for landing Clearing flags on attachment: 368798 Committed r244879: <https://trac.webkit.org/changeset/244879>
Simon Fraser (smfr)
Comment 8 2019-05-02 12:57:44 PDT
Comment on attachment 368761 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=368761&action=review >>>> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 >>>> +{ >>> >>> Please add a comment: >>> >>> " >>> FIXME(BUG #): Remove this quirk in 2023 >>> As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. >>> Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing >>> Google users to seamlessly transition to proper WebAuthN behavior. >>> " >>> >>> Then please file a bug to remove this quirk in 2023. >> >> Added. > > Thanks Brent for r+ this patch. This needs to go through the Quirks class so that the Develop menu switch can turn it off.
Jiewen Tan
Comment 9 2019-05-02 14:04:59 PDT
(In reply to Simon Fraser (smfr) from comment #8) > Comment on attachment 368761 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=368761&action=review > > >>>> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 > >>>> +{ > >>> > >>> Please add a comment: > >>> > >>> " > >>> FIXME(BUG #): Remove this quirk in 2023 > >>> As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. > >>> Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing > >>> Google users to seamlessly transition to proper WebAuthN behavior. > >>> " > >>> > >>> Then please file a bug to remove this quirk in 2023. > >> > >> Added. > > > > Thanks Brent for r+ this patch. > > This needs to go through the Quirks class so that the Develop menu switch > can turn it off. I would argue it is not meaningful to turn Quirks off. Basically, the whole WebAuthentication feature will not work in Google.com if this is off.
Wenson Hsieh
Comment 10 2019-05-02 14:31:04 PDT
Comment on attachment 368761 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=368761&action=review >>>>>> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 >>>>>> +{ >>>>> >>>>> Please add a comment: >>>>> >>>>> " >>>>> FIXME(BUG #): Remove this quirk in 2023 >>>>> As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. >>>>> Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing >>>>> Google users to seamlessly transition to proper WebAuthN behavior. >>>>> " >>>>> >>>>> Then please file a bug to remove this quirk in 2023. >>>> >>>> Added. >>> >>> Thanks Brent for r+ this patch. >> >> This needs to go through the Quirks class so that the Develop menu switch can turn it off. > > I would argue it is not meaningful to turn Quirks off. Basically, the whole WebAuthentication feature will not work in Google.com if this is off. I believe the utility in being able to turn off quirks is that web developers can easily test their content against the un-quirked browser engine, to make sure that their content will work when we finally remove the quirk.
Jiewen Tan
Comment 11 2019-05-02 14:37:42 PDT
(In reply to Wenson Hsieh from comment #10) > Comment on attachment 368761 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=368761&action=review > > >>>>>> Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp:84 > >>>>>> +{ > >>>>> > >>>>> Please add a comment: > >>>>> > >>>>> " > >>>>> FIXME(BUG #): Remove this quirk in 2023 > >>>>> As an early adopter of U2F features, Google has a large number of existing device registrations that authenticate 'google.com' against 'gstatic.com'. > >>>>> Firefox and other browsers have agreed to grant an exception to the AppId rules for a limited time period (5 years from January, 2018) to allow existing > >>>>> Google users to seamlessly transition to proper WebAuthN behavior. > >>>>> " > >>>>> > >>>>> Then please file a bug to remove this quirk in 2023. > >>>> > >>>> Added. > >>> > >>> Thanks Brent for r+ this patch. > >> > >> This needs to go through the Quirks class so that the Develop menu switch can turn it off. > > > > I would argue it is not meaningful to turn Quirks off. Basically, the whole WebAuthentication feature will not work in Google.com if this is off. > > I believe the utility in being able to turn off quirks is that web > developers can easily test their content against the un-quirked browser > engine, to make sure that their content will work when we finally remove the > quirk. I don't think they would have any un-quirked version. I probably shouldn't name this as quirks.
Note You need to log in before you can comment on or make changes to this bug.