RESOLVED FIXED 208676
[WebAuthn] Do not perform Attestation with type is 'none' 
https://bugs.webkit.org/show_bug.cgi?id=208676
Summary [WebAuthn] Do not perform Attestation with type is 'none'
Jiewen Tan
Reported 2020-03-05 17:00:19 PST
Avoid Apple Attestation when attestation = "none".
Attachments
Patch (11.76 KB, patch)
2020-03-05 17:14 PST, Jiewen Tan 		bfulgham: review+
DetailsFormatted DiffDiff
Patch for Landing (11.80 KB, patch)
2020-03-06 12:41 PST, Jiewen Tan 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Jiewen Tan
Comment 1 2020-03-05 17:00:32 PST
<rdar://problem/59692104>
Jiewen Tan
Comment 2 2020-03-05 17:14:29 PST
Created attachment 392653 [details] Patch
Brent Fulgham
Comment 3 2020-03-06 12:30:55 PST
Comment on attachment 392653 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=392653&action=review > Source/WebKit/ChangeLog:3 > + [WebAuthn] Avoid Apple Attestation when attestation = "none" Maybe call this "Do not perform Attestation with type is 'none'"? > Source/WebKit/ChangeLog:10 > + accesses to Apple Attestation for now. The whitelist includes file URL, "... to restrict access until validation is complete. The whitelist allows file URLs and test-related domains." > Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:101 > +// FIXME<rdar://problem/60108131>: Remove this whitelist before shipping. I think its enough just say: // FIXME(<rdar://problem/60108131>): Remove this whitelist once testing is complete. > LayoutTests/ChangeLog:3 > + [WebAuthn] Avoid Apple Attestation when attestation = "none" Ditto (change title).
Jiewen Tan
Comment 4 2020-03-06 12:37:10 PST
Comment on attachment 392653 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=392653&action=review Thanks Brent for r+ this patch. >> Source/WebKit/ChangeLog:3 >> + [WebAuthn] Avoid Apple Attestation when attestation = "none" > > Maybe call this "Do not perform Attestation with type is 'none'"? Fixed. >> Source/WebKit/ChangeLog:10 >> + accesses to Apple Attestation for now. The whitelist includes file URL, > > "... to restrict access until validation is complete. The whitelist allows file URLs and test-related domains." Fixed. >> Source/WebKit/UIProcess/WebAuthentication/Cocoa/LocalAuthenticator.mm:101 >> +// FIXME<rdar://problem/60108131>: Remove this whitelist before shipping. > > I think its enough just say: > > // FIXME(<rdar://problem/60108131>): Remove this whitelist once testing is complete. Fixed. >> LayoutTests/ChangeLog:3 >> + [WebAuthn] Avoid Apple Attestation when attestation = "none" > > Ditto (change title). Fixed.
Jiewen Tan
Comment 5 2020-03-06 12:41:37 PST
Created attachment 392757 [details] Patch for Landing
Jiewen Tan
Comment 6 2020-03-06 12:42:48 PST
Committed r258020: <https://trac.webkit.org/changeset/258020>
Note You need to log in before you can comment on or make changes to this bug.