CheckAllowedOrigins host only behavior

[zll600]

Version(s) affected

5.2.x

Description

** This is not a bug (but not a feature). Just my thoughts. Feel free to close it**

The b4cd9a4 keeps the host-only check for backward compatibility.

This means all existing applications running on the webauthn-framework still expose the possible attacks if they do not change their configurations, even if they upgrade to 5.2.4

How to reproduce

I made a minimal reproducible test case in https://github.com/zll600/webauthn-framework/blob/0b5ac51a68c95dd2292f166a0e10be6775ad3339/tests/library/Functional/CheckAllowedOriginsTest.php#L324-L344.

It tests scenarios like:

1. allowed_origins only set with a host-only origin like example.com
2. incoming origins like https://example:8443, https://example:9999 would bypass the allowed_origins checks.

This may allow unexpected origins to bypass the validation

Possible Solution

For the host-only origins example.com, process them as https://example.com by adding the https schema. Since WebAuthn API runs over TLS, this should avoid validation bypass without impacting most of the applications which use the webauthn-framework.

Additional Context

No response

[Spomky]

Hi,

Indeed. This is a good remark.
See #822. Will be tagged soon

[zll600]

@Spomky Well done!!! 👍

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.