From 3e240359f41d623a42b98398179fc40225e0e56b Mon Sep 17 00:00:00 2001 From: Florent Morselli Date: Mon, 23 Mar 2026 22:47:35 +0100 Subject: [PATCH 1/2] fix: pass topOriginValidator to CheckTopOrigin in requestCeremony() The custom TopOriginValidator set via enableTopOriginValidator() was only passed to CheckTopOrigin in creationCeremony() but not in requestCeremony(), causing the fallback HostTopOriginValidator to always be used during authentication. This broke cross-origin iframe scenarios where topOrigin differs from the host. Fixes #816 Co-Authored-By: Claude Opus 4.6 (1M context) --- src/webauthn/src/CeremonyStep/CeremonyStepManagerFactory.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/webauthn/src/CeremonyStep/CeremonyStepManagerFactory.php b/src/webauthn/src/CeremonyStep/CeremonyStepManagerFactory.php index 5772e8a3..32012ec5 100644 --- a/src/webauthn/src/CeremonyStep/CeremonyStepManagerFactory.php +++ b/src/webauthn/src/CeremonyStep/CeremonyStepManagerFactory.php @@ -169,7 +169,7 @@ public function requestCeremony(): CeremonyStepManager $this->allowSubdomains, $this->securedRelyingPartyId ?? [] ), - new CheckTopOrigin(), + new CheckTopOrigin($this->topOriginValidator), new CheckRelyingPartyIdIdHash(), new CheckUserWasPresent(), new CheckUserVerification(), From a27d85caeaaf748b1890f434b88ff4b5117992bb Mon Sep 17 00:00:00 2001 From: Florent Morselli Date: Mon, 23 Mar 2026 22:52:30 +0100 Subject: [PATCH 2/2] fix: make enableTopOriginValidator actually enable the validation Previously, CheckTopOrigin always validated the top origin using a fallback HostTopOriginValidator when no custom validator was set. This made enableTopOriginValidator() misleading since validation was always active regardless. Now, when no TopOriginValidator is configured, the top origin check is skipped entirely. Calling enableTopOriginValidator() truly enables the validation, matching the method's name and intent. Fixes #816 Co-Authored-By: Claude Opus 4.6 (1M context) --- src/webauthn/src/CeremonyStep/CheckTopOrigin.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/webauthn/src/CeremonyStep/CheckTopOrigin.php b/src/webauthn/src/CeremonyStep/CheckTopOrigin.php index bb9a5554..31c73a35 100644 --- a/src/webauthn/src/CeremonyStep/CheckTopOrigin.php +++ b/src/webauthn/src/CeremonyStep/CheckTopOrigin.php @@ -33,9 +33,8 @@ public function process( throw AuthenticatorResponseVerificationException::create('The response is not cross-origin.'); } if ($this->topOriginValidator === null) { - (new HostTopOriginValidator($host))->validate($topOrigin); - } else { - $this->topOriginValidator->validate($topOrigin); + return; } + $this->topOriginValidator->validate($topOrigin); } }