Skip to content

fix: pass topOriginValidator to CheckTopOrigin in requestCeremony()#821

Merged
Spomky merged 2 commits into5.2.xfrom
fix/top-origin-validator-request-ceremony
Mar 23, 2026
Merged

fix: pass topOriginValidator to CheckTopOrigin in requestCeremony()#821
Spomky merged 2 commits into5.2.xfrom
fix/top-origin-validator-request-ceremony

Conversation

@Spomky
Copy link
Contributor

@Spomky Spomky commented Mar 23, 2026
edited
Loading

Summary

  • The custom TopOriginValidator set via enableTopOriginValidator() was passed to CheckTopOrigin in creationCeremony() but not in requestCeremony(). Fixed by passing $this->topOriginValidator in both ceremonies.
  • enableTopOriginValidator() was misleading: top origin validation was always active via a fallback HostTopOriginValidator, making the method name suggest it "enables" something that was already on. Now, when no TopOriginValidator is configured, the top origin check is skipped entirely. Calling enableTopOriginValidator() truly enables the validation.

Fixes #816

Test plan

  • Verify that without calling enableTopOriginValidator(), top origin validation is skipped (no strict host comparison)
  • Verify that calling enableTopOriginValidator() with a custom validator activates validation for both creation and request ceremonies
  • Verify cross-origin iframe authentication works when topOrigin differs from host and no top origin validator is configured

🤖 Generated with Claude Code

@Spomky @claude
fix: pass topOriginValidator to CheckTopOrigin in requestCeremony()
3e24035 
The custom TopOriginValidator set via enableTopOriginValidator() was only
passed to CheckTopOrigin in creationCeremony() but not in
requestCeremony(), causing the fallback HostTopOriginValidator to always
be used during authentication. This broke cross-origin iframe scenarios
where topOrigin differs from the host.

Fixes #816

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Spomky Spomky self-assigned this Mar 23, 2026
@Spomky Spomky added the bug Something isn't working label Mar 23, 2026
@Spomky Spomky added this to the 5.2.6 milestone Mar 23, 2026
@Spomky Spomky linked an issue Mar 23, 2026 that may be closed by this pull request
CeremonyStepManagerFactory not setting CheckTopOrigin correctly for request ceremony #816
Closed
@Spomky @claude
fix: make enableTopOriginValidator actually enable the validation
a27d85c 
Previously, CheckTopOrigin always validated the top origin using a
fallback HostTopOriginValidator when no custom validator was set. This
made enableTopOriginValidator() misleading since validation was always
active regardless.

Now, when no TopOriginValidator is configured, the top origin check is
skipped entirely. Calling enableTopOriginValidator() truly enables the
validation, matching the method's name and intent.

Fixes #816

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Spomky Spomky merged commit 6cdbfa3 into 5.2.x Mar 23, 2026
13 of 14 checks passed
@Spomky Spomky deleted the fix/top-origin-validator-request-ceremony branch March 23, 2026 21:59
@Spomky Spomky mentioned this pull request Mar 23, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Spomky Spomky

Labels

bug Something isn't working

Projects

None yet

Milestone

5.2.6

Development

Successfully merging this pull request may close these issues.

CeremonyStepManagerFactory not setting CheckTopOrigin correctly for request ceremony

1 participant

@Spomky