Bug 1244960 - FIDO u2f NSSToken (Part 4): Correct FacetID base algorithm. r=keeler
authorJ.C. Jones <jjones@mozilla.com>
Wed, 13 Apr 2016 10:32:25 -0700
changeset 331369 2c274b2733a321944958c422dbea5a279b6d1cc0
parent 331368 d7edcf25d8396f3af13337cb717b706e84b7712c
child 331370 ef91fef4c24999f8df0e35c42fc93ec23d7e391c
push id6048
push userkmoir@mozilla.com
push dateMon, 06 Jun 2016 19:02:08 +0000
treeherdermozilla-beta@46d72a56c57d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1244960, 1244959
milestone48.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1244960 - FIDO u2f NSSToken (Part 4): Correct FacetID base algorithm. r=keeler Work on the FacetID/AppID algorithm showed this patch had incorrect usage of the eTLD+1 checking, so this patch removes those checks until the more sophisticated algorithm lands in Bug 1244959. MozReview-Commit-ID: 2k6N5AU0J68
dom/u2f/U2F.cpp
dom/u2f/tests/test_frame_appid_facet.html
dom/u2f/tests/test_frame_appid_facet_subdomain.html
--- a/dom/u2f/U2F.cpp
+++ b/dom/u2f/U2F.cpp
@@ -301,34 +301,16 @@ U2F::ValidAppID(/* in/out */ nsString& a
     return false;
   }
 
   // If the facetId and the appId auths match, accept
   if (facetAuth == appIdAuth) {
     return true;
   }
 
-  nsAutoCString appIdTld;
-  nsAutoCString facetTld;
-
-  rv = tldService->GetBaseDomainFromHost(appIdAuth, 0, appIdTld);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return false;
-  }
-  rv = tldService->GetBaseDomainFromHost(facetAuth, 0, facetTld);
-  if (NS_WARN_IF(NS_FAILED(rv))) {
-    return false;
-  }
-
-  // If this AppID's registered domain matches the Facet's, accept
-  if (!facetTld.IsEmpty() && !appIdTld.IsEmpty() &&
-      (facetTld == appIdTld)) {
-    return true;
-  }
-
   // TODO(Bug 1244959) Implement the remaining algorithm.
   return false;
 }
 
 template <class CB, class Rsp>
 void
 SendError(CB& aCallback, ErrorCode aErrorCode)
 {
--- a/dom/u2f/tests/test_frame_appid_facet.html
+++ b/dom/u2f/tests/test_frame_appid_facet.html
@@ -46,21 +46,13 @@ u2f.register("https://example.com/appId"
 // Test: Dynamic origin
 u2f.register(window.location.origin + "/otherAppId", [{
   version: version,
   challenge: bytesToBase64UrlSafe(challenge),
 }], [], function(res){
   local_is(res.errorCode, 0, "Direct window origin should work");
 });
 
-// eTLD+1 check
-u2f.register("https://test1.example.com/appId", [{
-  version: version,
-  challenge: bytesToBase64UrlSafe(challenge),
-}], [], function(res){
-  local_is(res.errorCode, 0, "Subdomain AppID should work");
-});
-
 local_finished();
 
 </script>
 </body>
 </html>
--- a/dom/u2f/tests/test_frame_appid_facet_subdomain.html
+++ b/dom/u2f/tests/test_frame_appid_facet_subdomain.html
@@ -8,28 +8,53 @@
 <script class="testbody" type="text/javascript">
 "use strict";
 
 var version = "U2F_V2";
 var challenge = new Uint8Array(16);
 
 local_is(window.location.origin, "https://test1.example.com", "Is loaded correctly");
 
-// eTLD+1 check
-u2f.register("https://example.com/appId", [{
+// same domain check
+u2f.register("https://test1.example.com/appId", [{
   version: version,
   challenge: bytesToBase64UrlSafe(challenge),
 }], [], function(res){
-  local_is(res.errorCode, 0, "AppID should work from a subdomain");
+  local_is(res.errorCode, 0, "AppID should work from a subfolder of this domain");
+  step2();
 });
 
-u2f.register("https://example.net/appId", [{
-  version: version,
-  challenge: bytesToBase64UrlSafe(challenge),
-}], [], function(res){
-  local_isnot(res.errorCode, 0, "AppID should not work from other domains");
-});
+function step2() {
+  // same domain check, but wrong scheme
+  u2f.register("http://test1.example.com/appId", [{
+    version: version,
+    challenge: bytesToBase64UrlSafe(challenge),
+  }], [], function(res){
+    local_isnot(res.errorCode, 0, "AppID should work from a subfolder of this domain");
+    step3();
+  });
+}
 
-local_finished();
+function step3() {
+  // eTLD+1 subdomain check
+  u2f.register("https://example.com/appId", [{
+    version: version,
+    challenge: bytesToBase64UrlSafe(challenge),
+  }], [], function(res){
+    local_isnot(res.errorCode, 0, "AppID should not work from another subdomain in this registered domain");
+    step4();
+  });
+}
+
+function step4() {
+  // other domain check
+  u2f.register("https://mochi.test:8888/appId", [{
+    version: version,
+    challenge: bytesToBase64UrlSafe(challenge),
+  }], [], function(res){
+    local_isnot(res.errorCode, 0, "AppID should not work from other domains");
+    local_finished();
+  });
+}
 
 </script>
 </body>
 </html>