Bug 1551229 - Anonmyize all 'direct' attestation requests on Android r=keeler
authorJ.C. Jones <jjones@mozilla.com>
Thu, 16 May 2019 17:37:35 +0000
changeset 474213 b0887a64bb5fa71d8a2428579f581c7a8dadddf2
parent 474212 7a0539ac539fe33bc1883fb18aa5b98141600c96
child 474214 f3b9043b4ab15a95c32835dce9c64e76f4a7fa6c
push id113144
push usershindli@mozilla.com
push dateFri, 17 May 2019 16:44:55 +0000
treeherdermozilla-inbound@f4c4b796f845 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1551229, 1550164
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1551229 - Anonmyize all 'direct' attestation requests on Android r=keeler The code that blocks on a UX prompt for a Direct Attestation has to be disabled for Android, as Android has no UX at present. Until Bug 1550164 resolves, we'll have to let direct attestations be downgraded to anonymized ("None") attestations. Differential Revision: https://phabricator.services.mozilla.com/D31360
dom/webauthn/U2FTokenManager.cpp
--- a/dom/webauthn/U2FTokenManager.cpp
+++ b/dom/webauthn/U2FTokenManager.cpp
@@ -307,25 +307,30 @@ void U2FTokenManager::Register(
     AbortTransaction(aTransactionId, NS_ERROR_DOM_NOT_ALLOWED_ERR);
     return;
   }
 
   mLastTransactionId = aTransactionId;
 
   // Determine whether direct attestation was requested.
   bool directAttestationRequested = false;
+
+// On Android, let's always reject direct attestations until we have a
+// mechanism to solicit user consent, from Bug 1550164
+#ifndef MOZ_WIDGET_ANDROID
   if (aTransactionInfo.Extra().isSome()) {
     const auto& extra = aTransactionInfo.Extra().ref();
 
     AttestationConveyancePreference attestation =
         extra.attestationConveyancePreference();
 
     directAttestationRequested =
         attestation == AttestationConveyancePreference::Direct;
   }
+#endif  // not MOZ_WIDGET_ANDROID
 
   // Start a register request immediately if direct attestation
   // wasn't requested or the test pref is set.
   if (!directAttestationRequested ||
       U2FPrefManager::Get()->GetAllowDirectAttestationForTesting()) {
     // Force "none" attestation when "direct" attestation wasn't requested.
     DoRegister(aTransactionInfo, !directAttestationRequested);
     return;