Bug 248847
| Summary: | [WebAuthn] googleLegacyAppidSupport extension is obsolete and can be removed | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Martin Kreichgauer <martinkr> |
| Component: | WebKit Misc. | Assignee: | pascoe <pascoe> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | pascoe, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Martin Kreichgauer
In https://bugs.webkit.org/show_bug.cgi?id=202427, WebKit added support for the non-standard googleLegacyAppidSupport WebAuthn request extension. If set by a google.com origin, this extension causes the WebAuthn API create() call to create a U2F API style credential bound to the hard-coded App ID `https://www.gstatic.com/securitykey/origins.json`, rather than a credential bound to a WebAuthn RP ID. Google.com stopped relying on this behavior several months ago. This means the googleLegacyAppidSupport extension is now obsolete and can be removed. (Here is Chromium’s change removing this extension: https://chromium-review.googlesource.com/c/chromium/src/+/3958174.)
Note that google.com continues to rely on the ability to _assert_ legacy U2F/CTAP1 credentials bound to the `https://www.gstatic.com/securitykey/origins.json` U2F App ID for the foreseeable future.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
pascoe@apple.com
Thanks Martin.
Radar WebKit Bug Importer
<rdar://problem/103141593>
pascoe@apple.com
*** This bug has been marked as a duplicate of bug 254848 ***