Proper origin terminology, references, and setting of callerOrigin #202
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -35,6 +35,23 @@ Boilerplate: omit conformance, omit feedback-header | |
| Markup Shorthands: css off, markdown on | ||
| </pre> | ||
|
|
||
| <pre class="anchors"> | ||
|
|
||
| <!-- spec: HTML; urlPrefix: https://html.spec.whatwg.org/multipage/ --> | ||
| spec: HTML51; urlPrefix: http://www.w3.org/TR/html51/; for: web | ||
| type: dfn | ||
| urlPrefix: browsers.html | ||
| text: origin; url: concept-cross-origin | ||
| text: opaque origin | ||
| text: tuple origin | ||
| text: relaxing the same-origin restriction | ||
| type: dfn | ||
| urlPrefix: webappapis.html; for: interface | ||
| text: current settings object; url:current-settings-object | ||
| text: Navigator | ||
|
|
||
| </pre> | ||
|
|
||
|
|
||
| # Introduction # {#intro} | ||
|
|
||
|
|
@@ -43,7 +60,7 @@ Markup Shorthands: css off, markdown on | |
| This specification defines an API enabling the creation and use of strong, attested, cryptographic <em><a>scoped | ||
| credentials</a></em> by web applications, for the purpose of strongly authenticating users. A <a>scoped credential</a> is | ||
| created and stored by an <em><a>authenticator</a></em> at the behest of a <em><a>[RP]</a></em>, subject to <em><a>user | ||
| consent</a></em>. Subsequently, the scoped credential can only be accessed by origins belonging to that [RP]. | ||
| This scoping is enforced jointly by <em><a>conforming User Agents</a></em> and <em><a>authenticators</a></em>. | ||
| Additionally, privacy across <a>[RPS]</a> is maintained; [RPS] are not able to detect any properties, or even | ||
| the existence, of credentials scoped to other [RPS]. | ||
|
|
@@ -130,8 +147,12 @@ or a combination of both. | |
|
|
||
| This specification relies on several other underlying specifications. | ||
|
|
||
| <!-- , <a>opaque origin</a>, --> | ||
|
|
||
| : HTML | ||
| :: The concepts of <a link-for='web'>current settings object</a>, |given value|, <a link-for='web'>opaque origin</a>, | ||
| <a for='web'>origin</a>, the <a>Navigator</a> interface, and the | ||
| <a link-for='web'>relaxing the same-origin restriction</a> "setting" algorithm are defined in [[!HTML51]]. | ||
|
|
||
| : Web IDL | ||
| :: Many of the interface definitions and all of the IDL in this specification depend on [[!WebIDL-1]]. This updated version of | ||
|
|
@@ -222,7 +243,7 @@ NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and | |
|
|
||
| : <dfn>Relying Party Identifier</dfn> | ||
| : <dfn>RP ID</dfn> | ||
| :: A Relying Party Identifier is derived from a <a>[RP]</a>'s origin's hostname by computing the hostname's <a>eTLD+1</a>. | ||
|
|
||
| : <dfn>Scoped Credential</dfn> | ||
| :: Generically, a credential is data one entity presents to another in order to authenticate the former's identity [[RFC4949]]. | ||
|
|
@@ -268,7 +289,7 @@ and/or platform on the user's behalf. At no point does the script get access to | |
| information about the credentials in the form of objects. | ||
|
|
||
| The security properties of this API are provided by the client and the authenticator working together. The authenticator, which | ||
| holds and manages credentials, ensures that all operations are scoped to a particular origin, and cannot be replayed against | ||
| a different origin, by incorporating the origin in its responses. Specifically, as defined in [[#signature-format]], the full | ||
| origin of the requester is included, and signed over, in the attestation statement produced when a new credential is created as | ||
| well as in all assertions produced by WebAuthn credentials. | ||
|
|
@@ -277,9 +298,9 @@ Additionally, to maintain user privacy and prevent malicious [RPS] from probing | |
| other [RPS], each credential is also associated with a Relying Party Identifier, or RP ID. This RP ID is provided by the client | ||
| to the authenticator for all operations, and the authenticator ensures that credentials created by a [RP] can only be used in | ||
| operations requested by the same RP ID. Separating the origin from the RP ID in this way allows the API to be used in cases | ||
| where a single [RP] maintains multiple origins. | ||
|
|
||
| The client facilitates these security measures by providing correct origins and RP IDs to the authenticator for each | ||
| operation. Since this is an integral part of the WebAuthn security model, user agents MUST only expose this API to callers in | ||
| <dfn>secure contexts</dfn>, as defined in [[secure-contexts]]. | ||
|
|
||
|
|
@@ -345,7 +366,12 @@ When this method is invoked, the user agent MUST execute the following algorithm | |
| 2. Let |promise| be a new <a data-lt="Promises">Promise</a>. Return |promise| and start a timer for |adjustedTimeout| seconds. | ||
| Then asynchronously continue executing the following steps. | ||
|
|
||
| 3. Set |callerOrigin| to the <a link-for='web'>current settings object</a>'s <a link-for='web'>origin</a>. If |callerOrigin| is | ||
| an <a link-for='web'>opaque origin</a>, reject |promise| with a <a>DOMException</a> whose name is "NotAllowedError", and | ||
| terminate this algorithm. | ||
| Otherwise, apply the <a link-for='web'>relaxing the same-origin restriction</a> "setting" algorithm using |callerOrigin| as | ||
| the |given value|. | ||
| If no errors are thrown, then derive the RP ID from |callerOrigin| by computing the | ||
|
There was a problem hiding this comment. If no errors are thrown, we should take the value of There was a problem hiding this comment. oh, so I didn't touch the text beyond the "derive the RP ID..." because PR #198 is altering it. should we (1) try to clean up before merging these PRs, or (2) merge one to master, the merge master to the un-merged branch, clean-up, and then merge the latter? There was a problem hiding this comment. I see. Yeah, I would do (2). There was a problem hiding this comment. ok, which PR merge first? |
||
| "public suffix + 1" or "PS+1" (which is also referred to as the "Effective Top-Level Domain plus One" or "<a>eTLD+1</a>") | ||
| part of |callerOrigin| [[PSL]]. Let |rpId| be the lowercase form of this RP ID. Set |rpIdHash| to the SHA-256 hash of the | ||
| UTF-8 encoding of |rpId|. | ||
|
|
@@ -421,7 +447,12 @@ When this method is invoked, the user agent MUST execute the following algorithm | |
| 2. Let |promise| be a new <a data-lt="Promises">Promise</a>. Return |promise| and start a timer for |adjustedTimeout| seconds. | ||
| Then asynchronously continue executing the following steps. | ||
|
|
||
| 3. Set |callerOrigin| to the <a link-for='web'>current settings object</a>'s <a link-for='web'>origin</a>. If |callerOrigin| | ||
| is an <a link-for='web'>opaque origin</a>, reject |promise| with a <a>DOMException</a> whose name is "NotAllowedError", and | ||
| terminate this algorithm. | ||
| Otherwise, apply the <a link-for='web'>relaxing the same-origin restriction</a> "setting" algorithm using |callerOrigin| as | ||
| the |given value|. | ||
| If no errors are thrown, then derive the RP ID from |callerOrigin| by computing the | ||
|
|
||
| "public suffix + 1" or "PS+1" (which is also referred to as the "Effective Top-Level Domain plus One" or "<a>eTLD+1</a>") | ||
| part of |callerOrigin| [[PSL]]. Let |rpId| be the lowercase form of this RP ID. Set |rpIdHash| to the SHA-256 hash of the | ||
| UTF-8 encoding of |rpId|. | ||
|
|
@@ -701,7 +732,7 @@ string-valued keys. Values may be any type that has a valid encoding in JSON. It | |
| <div dfn-for="ClientData"> | ||
| The <dfn>challenge</dfn> member contains the base64url encoding of the challenge provided by the RP. | ||
|
|
||
| The <dfn for="ClientData">origin</dfn> member contains the fully qualified origin of the requester, as provided to the authenticator by | ||
| the client, in the syntax defined by [[RFC6454]]. | ||
|
|
||
| The <dfn>rpId</dfn> member contains the RP ID of the requester, as computed by the client. | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can remove the for='web' everywhere now. It was only required for disambiguation before because there were two definitions of "origin" (one here, one as a member of ClientData). So the link-for helped bikeshed figure out which one we were talking about.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm, well, given this branch's current state, it needs the link-for='web' to compile. perhaps we can clean that up after merging all these PRs to master?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WFM