Bug 1244960 - FIDO u2f NSSToken (Part 4): Correct FacetID base algorithm r?keeler
Work on the FacetID/AppID algorithm showed this patch had incorrect usage of
the eTLD+1 checking, so this patch removes those checks until the more
sophisticated algorithm lands in
Bug 1244959.
MozReview-Commit-ID: 2k6N5AU0J68
--- a/dom/u2f/U2F.cpp
+++ b/dom/u2f/U2F.cpp
@@ -301,34 +301,16 @@ U2F::ValidAppID(/* in/out */ nsString& a
return false;
}
// If the facetId and the appId auths match, accept
if (facetAuth == appIdAuth) {
return true;
}
- nsAutoCString appIdTld;
- nsAutoCString facetTld;
-
- rv = tldService->GetBaseDomainFromHost(appIdAuth, 0, appIdTld);
- if (NS_WARN_IF(NS_FAILED(rv))) {
- return false;
- }
- rv = tldService->GetBaseDomainFromHost(facetAuth, 0, facetTld);
- if (NS_WARN_IF(NS_FAILED(rv))) {
- return false;
- }
-
- // If this AppID's registered domain matches the Facet's, accept
- if (!facetTld.IsEmpty() && !appIdTld.IsEmpty() &&
- (facetTld == appIdTld)) {
- return true;
- }
-
// TODO(Bug 1244959) Implement the remaining algorithm.
return false;
}
template <class CB, class Rsp>
void
SendError(CB& aCallback, ErrorCode aErrorCode)
{
--- a/dom/u2f/tests/test_frame_appid_facet.html
+++ b/dom/u2f/tests/test_frame_appid_facet.html
@@ -46,21 +46,13 @@ u2f.register("https://example.com/appId"
// Test: Dynamic origin
u2f.register(window.location.origin + "/otherAppId", [{
version: version,
challenge: bytesToBase64UrlSafe(challenge),
}], [], function(res){
local_is(res.errorCode, 0, "Direct window origin should work");
});
-// eTLD+1 check
-u2f.register("https://test1.example.com/appId", [{
- version: version,
- challenge: bytesToBase64UrlSafe(challenge),
-}], [], function(res){
- local_is(res.errorCode, 0, "Subdomain AppID should work");
-});
-
local_finished();
</script>
</body>
</html>
--- a/dom/u2f/tests/test_frame_appid_facet_subdomain.html
+++ b/dom/u2f/tests/test_frame_appid_facet_subdomain.html
@@ -8,28 +8,53 @@
<script class="testbody" type="text/javascript">
"use strict";
var version = "U2F_V2";
var challenge = new Uint8Array(16);
local_is(window.location.origin, "https://test1.example.com", "Is loaded correctly");
-// eTLD+1 check
-u2f.register("https://example.com/appId", [{
+// same domain check
+u2f.register("https://test1.example.com/appId", [{
version: version,
challenge: bytesToBase64UrlSafe(challenge),
}], [], function(res){
- local_is(res.errorCode, 0, "AppID should work from a subdomain");
+ local_is(res.errorCode, 0, "AppID should work from a subfolder of this domain");
+ step2();
});
-u2f.register("https://example.net/appId", [{
- version: version,
- challenge: bytesToBase64UrlSafe(challenge),
-}], [], function(res){
- local_isnot(res.errorCode, 0, "AppID should not work from other domains");
-});
+function step2() {
+ // same domain check, but wrong scheme
+ u2f.register("http://test1.example.com/appId", [{
+ version: version,
+ challenge: bytesToBase64UrlSafe(challenge),
+ }], [], function(res){
+ local_isnot(res.errorCode, 0, "AppID should work from a subfolder of this domain");
+ step3();
+ });
+}
-local_finished();
+function step3() {
+ // eTLD+1 subdomain check
+ u2f.register("https://example.com/appId", [{
+ version: version,
+ challenge: bytesToBase64UrlSafe(challenge),
+ }], [], function(res){
+ local_isnot(res.errorCode, 0, "AppID should not work from another subdomain in this registered domain");
+ step4();
+ });
+}
+
+function step4() {
+ // other domain check
+ u2f.register("https://mochi.test:8888/appId", [{
+ version: version,
+ challenge: bytesToBase64UrlSafe(challenge),
+ }], [], function(res){
+ local_isnot(res.errorCode, 0, "AppID should not work from other domains");
+ local_finished();
+ });
+}
</script>
</body>
</html>