gecko-dev/dom/credentialmanagement
J.C. Jones bce88244c0 Bug 1407789 - Prohibit cross-site iframes for Credential Management r=baku,keeler,ttaubert
Credential Management defines a parameter `sameOriginWithAncestors` which is
set true if the responsible document is not either in a top-level browsing
context, or is in a nested context whose heirarchy is all loaded from the
same origin as the top-level context [1][2]. The individual credential types
of CredMan can use this flag to make decisions on whether to error or not.

Our Credential Management implementation right now is a shim to Web
Authentication, which says that if `sameOriginWithAncestors` is false, return
`"NotAllowedError"`.

This ensures that

  https://webauthn.bin.coffee/iframe.html

works, but the cross-origin

  https://u2f.bin.coffee/iframe-webauthn.html

does not.

[1] https://w3c.github.io/webappsec-credential-management/#algorithm-request
[2] https://w3c.github.io/webappsec-credential-management/#algorithm-create
[3] https://w3c.github.io/webauthn/#createCredential
[4] https://w3c.github.io/webauthn/#getAssertion

MozReview-Commit-ID: KIyakgl0kGv

--HG--
extra : rebase_source : dace4f4d73823913bff759fce8255da8e18ad5e3
2017-10-12 18:18:39 -07:00
..
tests Bug 1407789 - Prohibit cross-site iframes for Credential Management r=baku,keeler,ttaubert 2017-10-12 18:18:39 -07:00
Credential.cpp
Credential.h
CredentialsContainer.cpp Bug 1407789 - Prohibit cross-site iframes for Credential Management r=baku,keeler,ttaubert 2017-10-12 18:18:39 -07:00
CredentialsContainer.h Bug 1407789 - Prohibit cross-site iframes for Credential Management r=baku,keeler,ttaubert 2017-10-12 18:18:39 -07:00
moz.build Bug 1407789 - Prohibit cross-site iframes for Credential Management r=baku,keeler,ttaubert 2017-10-12 18:18:39 -07:00