[webauthn] CollectedClientData serialization is confusing WebIDL and/or Infra values for ECMAScript values (#2056) from Peter Van der Beken via GitHub on 2024-04-15 (public-webauthn@w3.org from April 2024)

From: Peter Van der Beken via GitHub <sysbot+gh@w3.org>
Date: Mon, 15 Apr 2024 08:21:41 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-2243024004-1713169299-sysbot+gh@w3.org>

petervanderbeken has just created a new issue for https://github.com/w3c/webauthn:

== CollectedClientData serialization is confusing WebIDL and/or Infra values for ECMAScript values ==
https://www.w3.org/TR/webauthn-3/#clientdatajson-serialization ends up calling ECMAScript operations on WebIDL and/or Infra values.

For example:

> 3. Append [CCDToString](https://www.w3.org/TR/webauthn-3/#ccdtostring)([type](https://www.w3.org/TR/webauthn-3/#dom-collectedclientdata-type)) to result.

Here `type` is a WebIDL value, of type `DOMString`. If we look at [CCDToString](https://www.w3.org/TR/webauthn-3/#ccdtostring) it does:

> 3. Invoke [ToString](https://tc39.es/ecma262/#sec-tostring) on the given object to convert to a string.

Invoking `ToString` on a `DOMString` is not defined, it expects an ECMAScript value. This should probably use the Infra algorithm to [serialize an Infra value to a JSON string](https://infra.spec.whatwg.org/#serialize-an-infra-value-to-json-bytes).


Another example is step 14.1:

> 1. Invoke [serialize JSON to bytes](https://infra.spec.whatwg.org/#serialize-a-javascript-value-to-json-bytes) on the temporary copy to produce a byte string remainder.

The temporary copy is created in step 12:

> 12. Create a temporary copy of the [CollectedClientData](https://www.w3.org/TR/webauthn-3/#dictdef-collectedclientdata) and remove the fields [type](https://www.w3.org/TR/webauthn-3/#dom-collectedclientdata-type), [challenge](https://www.w3.org/TR/webauthn-3/#dom-collectedclientdata-challenge), [origin](https://www.w3.org/TR/webauthn-3/#dom-collectedclientdata-origin), [crossOrigin](https://www.w3.org/TR/webauthn-3/#dom-collectedclientdata-crossorigin) (if present), and [topOrigin](https://www.w3.org/TR/webauthn-3/#dom-collectedclientdata-toporigin) (if present).

Nothing really defines how that should work I think, it would be clearer if it used Infra operations like https://infra.spec.whatwg.org/#map-clone and https://infra.spec.whatwg.org/#map-remove on the WebIDL dictionary (which is an ordered map). It can then again use the Infra algorithms to convert to JSON.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2056 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 15 April 2024 08:21:42 UTC