- From: Aleksandr Kolbasov via GitHub <noreply@w3.org>
- Date: Wed, 29 Apr 2026 02:51:26 +0000
- To: public-webauthn@w3.org
a2kolbasov has just created a new issue for https://github.com/w3c/webauthn:
== Missing validation of rpId before Related Origins fetch ==
## Proposed Change
I think this is currently incorrect behavior in the verification of `pkOptions.rp.id` (https://www.w3.org/TR/2026/CR-webauthn-3-20260113/#CreateCred-DetermineRpId).
Suppose a website uses the following code:
```javascript
let fakeRpId = "hostname.example/path?search=1&";
await navigator.credentials.create({
publicKey: {
rp: {
id: fakeRpId
}
...
}
});
```
If a browser supports ROR, the spec says:
```
let rpIdRequested = pkOptions.rp.id;
related_origins_validation(callerOrigin, rpIdRequested);
```
without checking a value of `pkOptions.rp.id`.
Then in *5.11.1. Validating Related Origins* (https://www.w3.org/TR/2026/CR-webauthn-3-20260113/#sctn-validating-relation-origin) a request is sent to `https://rpIdRequested/.well-known/webauthn` without any checks.
So, it turns out that we need to send a request to
`https://hostname.example/path?search=1&/.well-known/webauthn`?
******
Although `rpId` is conceptually required to be a valid hostname (without path or query components), the current draft does not explicitly reject values containing slashes or question marks. The specification mentions [RFC 8615](https://www.w3.org/TR/2026/CR-webauthn-3-20260113/#biblio-rfc8615) in this context, but without any specifics — for example, how to validate the `rpId` format, whether to throw a `SecurityError`, or what exactly to do. As a result, a malicious or malformed `rpId` could lead to an HTTPS request being sent to an unexpected URL.
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2422 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 29 April 2026 02:51:33 UTC