philomathic_life
philomathic_life
This is not a "vulnerability" due to the fact that the issue is 14 years away*; furthermore Vaultwarden may not even be a thing then. Anyway, I am not sure...
The current WebAuthn code violates the [specification](https://www.w3.org/TR/webauthn-2/#sctn-rp-operations). I'm not classifying this as a vulnerability, but one could argue any violation of something as important as authentication should be classified as...
**Current behavior** `unbound.conf(5)` does not state whether the order of the entries in a Response Policy Zone (RPZ) file matters. While in the Response Policy Zone Options section, it states...
I was [told that `getTransports`](https://github.com/kanidm/webauthn-rs/issues/401#issuecomment-1861962309) was recently added to the `master` branch; however I don't believe that is true. I `clone`d `master` just yesterday (i.e., after the comment was made),...
Sections [10.3](https://www.rfc-editor.org/rfc/rfc6749#section-10.3) and [10.4](https://www.rfc-editor.org/rfc/rfc6749#section-10.4) of RFC 6749 requires the authorization server to use TLS when exchanging the access and refresh tokens; however Vaultwarden—which acts as both the resource and authorization...
[The enforcement rule for the Nickname Profile in RFC 8266](https://www.rfc-editor.org/rfc/rfc8266#section-2.3) expressly forbids empty strings: > After all of the foregoing rules have been enforced, the entity MUST ensure that the...
Both [`PublicKeyCredentialRpEntity.id`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrpentity-id) and [`PublicKeyCredentialRequestOptions.rpId`](https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialrequestoptions-rpid) represent the same thing (i.e., [RP ID](https://www.w3.org/TR/webauthn-3/#rp-id)); however the former is modeled as a [`DOMString`](https://webidl.spec.whatwg.org/#idl-DOMString) while the latter is modeled as a [`USVString`](https://webidl.spec.whatwg.org/#idl-USVString). These should be...
[`COSEAlgorithmIdentifier`](https://www.w3.org/TR/webauthn-3/#typedefdef-cosealgorithmidentifier) is defined as a [`long`](https://webidl.spec.whatwg.org/#idl-long), but [`AuthenticatorAttestationResponseJSON.publicKeyAlgorithm`](https://www.w3.org/TR/webauthn-3/#dom-authenticatorattestationresponsejson-publickeyalgorithm) is a [`long long`](https://webidl.spec.whatwg.org/#idl-long-long). While RPs are likely based on 64-bit platforms, it seems unnecessary to require 64-bit signed integers when a...
[RP ID](https://www.w3.org/TR/webauthn-3/#rp-id) is required to be a [valid domain string](https://url.spec.whatwg.org/#valid-domain-string) which is the string representation of a [valid domain](https://url.spec.whatwg.org/#valid-domain). The definition of a valid domain cites [issue 245](https://github.com/whatwg/url/issues/245) which raises...
According to [`flags`](https://www.w3.org/TR/webauthn-3/#authdata-flags), bits 1 and 5 are "reserved for future use" without any requirement they are 0; however [Figure 3](https://www.w3.org/TR/webauthn-3/#fig-authData) and [Figure 6](https://www.w3.org/TR/webauthn-3/#attestation-object) display those bits as 0. Are...