J.C. Jones
|
bce88244c0
|
Bug 1407789 - Prohibit cross-site iframes for Credential Management r=baku,keeler,ttaubert
Credential Management defines a parameter `sameOriginWithAncestors` which is
set true if the responsible document is not either in a top-level browsing
context, or is in a nested context whose heirarchy is all loaded from the
same origin as the top-level context [1][2]. The individual credential types
of CredMan can use this flag to make decisions on whether to error or not.
Our Credential Management implementation right now is a shim to Web
Authentication, which says that if `sameOriginWithAncestors` is false, return
`"NotAllowedError"`.
This ensures that
https://webauthn.bin.coffee/iframe.html
works, but the cross-origin
https://u2f.bin.coffee/iframe-webauthn.html
does not.
[1] https://w3c.github.io/webappsec-credential-management/#algorithm-request
[2] https://w3c.github.io/webappsec-credential-management/#algorithm-create
[3] https://w3c.github.io/webauthn/#createCredential
[4] https://w3c.github.io/webauthn/#getAssertion
MozReview-Commit-ID: KIyakgl0kGv
--HG--
extra : rebase_source : dace4f4d73823913bff759fce8255da8e18ad5e3
|
2017-10-12 18:18:39 -07:00 |