[webauthn] Redirected Icon Validation (#1139)

akshayku has just created a new issue for https://github.com/w3c/webauthn:

== Redirected Icon Validation ==
Currently [Icon](https://w3c.github.io/webauthn/#dom-publickeycredentialentity-icon) in the spec is marked as "This URL MUST be an a priori authenticated URL." and currently FIDO2/WebAuthN conformance tests includes a test where icon supplied by the test is a redirected HTTPS URL to an HTTP URL and expects an error from the browser during MakeCredential/Create call. 

But there is no protection for this icon to be from the same origin and can be used to fool the user. For example, a bad RP uses well known image to fool the user. Another issue with redirected URLs is that they can change over time. So, in our opinion, they must only be checked when actually shown/rendered to the user. 

We, at Microsoft, due to security reasons, don't support Icon fetching at our platform when we do the multiple account selection UI where this is applicable. This is applicable for platform as well as external security keys case. As and when if we decide to support this, we will do the validations at that point and ignore these redirected HTTPS to HTTP url. So there is no security issue as of now w.r.t these URLs as we don't support them for now. 

So IMO, this test should be removed from the makeCredential/Create layer and should only apply to the platforms when they are actually using it during multiple accounts selection UI at getAssertion/Get call..



Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1139 using your GitHub account

Received on Thursday, 17 January 2019 19:44:07 UTC