u2f icon indicating copy to clipboard operation
u2f copied to clipboard
verified publisher icon tstranex

ClientData verification fails for AppID with subpath

Open thmo opened this issue 5 years ago • 0 comments

This code

https://github.com/tstranex/u2f/blob/d21a03e0b1d9fc1df59ff54e7a513655c1748b0c/util.go#L107-L116

compares the facetID to be equal to the Origin, as reported by the client. However, the specs say:

If the caller's FacetID is an https:// Origin sharing the same host as the AppID, (e.g. if an application hosted at https://fido.example.com/myApp set an AppID of https://fido.example.com/myAppId), no additional processing is necessary and the operation may proceed.

The check should be modified to reflect that, i.e. accept an Origin shareing the same host as the AppID.

The issue came up here: https://github.com/go-gitea/gitea/issues/10231

thmo avatar Mar 03 '20 14:03 thmo