Skip to content

fix(webauthn): authorize appid against caller origin#275

Merged
AlfioEmanueleFresta merged 1 commit into
masterfrom
fix/appid-facet-authorization
Jul 1, 2026
Merged

fix(webauthn): authorize appid against caller origin#275
AlfioEmanueleFresta merged 1 commit into
masterfrom
fix/appid-facet-authorization

Conversation

@AlfioEmanueleFresta

Copy link
Copy Markdown
Member

The appid and appidExclude extensions were accepted without checking the supplied AppID against the caller, so a site could drive a query under an unrelated AppID. This authorizes the AppID against the caller origin and rejects a mismatch with a security error. The appidExclude result is now reported back when an exclusion is acted on.

Closes #252.

@AlfioEmanueleFresta AlfioEmanueleFresta marked this pull request as ready for review June 20, 2026 14:32
…igin

Reuse the same-site rp.id check so a caller cannot borrow an unrelated
site's legacy AppID on the U2F downgrade path (appid) or to enumerate
excluded credentials (appidExclude). The AppID host must be a
registrable-domain suffix of, or equal to, the caller origin host.
Reject otherwise with a SecurityError, and emit the appidExclude client
output when the exclusion is acted upon.
@AlfioEmanueleFresta AlfioEmanueleFresta force-pushed the fix/appid-facet-authorization branch from 3307999 to 53b23a5 Compare July 1, 2026 21:03
@AlfioEmanueleFresta AlfioEmanueleFresta merged commit b6c726e into master Jul 1, 2026
7 checks passed
@AlfioEmanueleFresta AlfioEmanueleFresta deleted the fix/appid-facet-authorization branch July 1, 2026 21:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(webauthn): authorize appid and appidExclude against caller origin

1 participant