[PM-1224] Ensure Passkeys Not Requested From Iframes (#6057)

* added isNotIFrame method to page-script * added NotAllowedError to assertCredential in fido2 * remove excess comments * refactor fido2-client.service. created new errorhandling method for similar code between create and assert * update types and naming convention for new method in fido2-client.service * Did a reset to previous commit withiout the refactoring to reduce code duplication, Renamed isNotIframeCheck function and fixed other commits * Revert "update types and naming convention for new method in fido2-client.service" This reverts commit 1f5499b9bb. * Revert "refactor fido2-client.service. created new errorhandling method for similar code between create and assert" This reverts commit 3115c0d2a1. * updated test cases * removed forward slashes --------- Co-authored-by: gbubemismith <gsmithwalter@gmail.com>
2026-02-05 19:23:19 +00:00 · 2023-09-08 12:00:37 -04:00
parent d081cffbd7
commit 76601bd528
3 changed files with 33 additions and 4 deletions
--- a/apps/browser/src/vault/fido2/content/page-script.ts
+++ b/apps/browser/src/vault/fido2/content/page-script.ts
@@ -54,6 +54,14 @@ const browserCredentials = {

 const messenger = Messenger.forDOMCommunication(window);

+function isSameOriginWithAncestors() {
+  try {
+    return window.self === window.top;
+  } catch {
+    return false;
+  }
+}
+
 navigator.credentials.create = async (
  options?: CredentialCreationOptions,
  abortController?: AbortController
@@ -64,14 +72,15 @@ navigator.credentials.create = async (
    (options?.publicKey?.authenticatorSelection.authenticatorAttachment !== "platform" &&
      browserNativeWebauthnSupport);
  try {
+    const isNotIframe = isSameOriginWithAncestors();
+
    const response = await messenger.request(
      {
        type: MessageType.CredentialCreationRequest,
-        // TODO: Fix sameOriginWithAncestors!
        data: WebauthnUtils.mapCredentialCreationOptions(
          options,
          window.location.origin,
-          true,
+          isNotIframe,
          fallbackSupported
        ),
      },
@@ -99,6 +108,8 @@ navigator.credentials.get = async (
  const fallbackSupported = browserNativeWebauthnSupport;

  try {
+    const isNotIframe = isSameOriginWithAncestors();
+
    if (options?.mediation && options.mediation !== "optional") {
      throw new FallbackRequestedError();
    }
@@ -106,11 +117,10 @@ navigator.credentials.get = async (
    const response = await messenger.request(
      {
        type: MessageType.CredentialGetRequest,
-        // TODO: Fix sameOriginWithAncestors!
        data: WebauthnUtils.mapCredentialRequestOptions(
          options,
          window.location.origin,
-          true,
+          isNotIframe,
          fallbackSupported
        ),
      },
--- a/libs/common/src/vault/services/fido2/fido2-client.service.spec.ts
+++ b/libs/common/src/vault/services/fido2/fido2-client.service.spec.ts
@@ -342,6 +342,18 @@ describe("FidoAuthenticatorService", () => {
        const rejects = expect(result).rejects;
        await rejects.toThrow(FallbackRequestedError);
      });
+
+      // Spec: If sameOriginWithAncestors is false, return a "NotAllowedError" DOMException.
+      it("should throw error if sameOriginWithAncestors is false", async () => {
+        const params = createParams();
+        params.sameOriginWithAncestors = false; // Simulating the falsey value
+
+        const result = async () => await client.assertCredential(params);
+
+        const rejects = expect(result).rejects;
+        await rejects.toMatchObject({ name: "NotAllowedError" });
+        await rejects.toBeInstanceOf(DOMException);
+      });
    });

    describe("assert non-discoverable credential", () => {
--- a/libs/common/src/vault/services/fido2/fido2-client.service.ts
+++ b/libs/common/src/vault/services/fido2/fido2-client.service.ts
@@ -200,6 +200,13 @@ export class Fido2ClientService implements Fido2ClientServiceAbstraction {
      throw new FallbackRequestedError();
    }

+    if (!params.sameOriginWithAncestors) {
+      this.logService?.warning(
+        `[Fido2Client] Invalid 'sameOriginWithAncestors' value: ${params.sameOriginWithAncestors}`
+      );
+      throw new DOMException("Invalid 'sameOriginWithAncestors' value", "NotAllowedError");
+    }
+
    const { domain: effectiveDomain } = parse(params.origin, { allowPrivateDomains: true });
    if (effectiveDomain == undefined) {
      this.logService?.warning(`[Fido2Client] Invalid origin: ${params.origin}`);