Modified: branches/safari-613-branch/Source/WebKit/ChangeLog (290948 => 290949)
--- branches/safari-613-branch/Source/WebKit/ChangeLog 2022-03-07 22:11:01 UTC (rev 290948)
+++ branches/safari-613-branch/Source/WebKit/ChangeLog 2022-03-07 22:11:04 UTC (rev 290949)
@@ -1,5 +1,46 @@
2022-03-07 Russell Epstein <[email protected]>
+ Cherry-pick r290755. rdar://problem/89700242
+
+ [WebAuthn] Completion handler is not called when WebAuthn invoked without proper entitlements
+ https://bugs.webkit.org/show_bug.cgi?id=237380
+ <rdar://problem/89700242>
+
+ Reviewed by Chris Dumez.
+
+ WebAuthn is not permitted outside of Web Browser applications. When an application that lacks
+ the full web browser entitlement attempts to invoke WebAuthn flows, we do an early return. However,
+ the completion handler for this flow is bypassed, preventing applications from being informed of
+ this problem.
+
+ * WebProcess/WebAuthentication/WebAuthenticatorCoordinator.cpp:
+ (WebKit::WebAuthenticatorCoordinator::makeCredential):
+ (WebKit::WebAuthenticatorCoordinator::getAssertion):
+ (WebKit::WebAuthenticatorCoordinator::isUserVerifyingPlatformAuthenticatorAvailable):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@290755 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-03-02 Brent Fulgham <[email protected]>
+
+ [WebAuthn] Completion handler is not called when WebAuthn invoked without proper entitlements
+ https://bugs.webkit.org/show_bug.cgi?id=237380
+ <rdar://problem/89700242>
+
+ Reviewed by Chris Dumez.
+
+ WebAuthn is not permitted outside of Web Browser applications. When an application that lacks
+ the full web browser entitlement attempts to invoke WebAuthn flows, we do an early return. However,
+ the completion handler for this flow is bypassed, preventing applications from being informed of
+ this problem.
+
+ * WebProcess/WebAuthentication/WebAuthenticatorCoordinator.cpp:
+ (WebKit::WebAuthenticatorCoordinator::makeCredential):
+ (WebKit::WebAuthenticatorCoordinator::getAssertion):
+ (WebKit::WebAuthenticatorCoordinator::isUserVerifyingPlatformAuthenticatorAvailable):
+
+2022-03-07 Russell Epstein <[email protected]>
+
Cherry-pick r290629. rdar://problem/88903506
[IPC] Do more hardening in WebSWServerConnection's client registration / unregistration
Modified: branches/safari-613-branch/Source/WebKit/WebProcess/WebAuthentication/WebAuthenticatorCoordinator.cpp (290948 => 290949)
--- branches/safari-613-branch/Source/WebKit/WebProcess/WebAuthentication/WebAuthenticatorCoordinator.cpp 2022-03-07 22:11:01 UTC (rev 290948)
+++ branches/safari-613-branch/Source/WebKit/WebProcess/WebAuthentication/WebAuthenticatorCoordinator.cpp 2022-03-07 22:11:04 UTC (rev 290949)
@@ -47,6 +47,12 @@
#include <WebCore/SecurityOrigin.h>
#include <WebCore/UserGestureIndicator.h>
+#undef WEBAUTHN_RELEASE_LOG
+#define PAGE_ID (m_webPage.identifier().toUInt64())
+#define FRAME_ID (webFrame->frameID().toUInt64())
+#define WEBAUTHN_RELEASE_LOG_ERROR(fmt, ...) RELEASE_LOG_ERROR(WebAuthn, "%p - [webPageID=%" PRIu64 ", webFrameID=%" PRIu64 "] WebAuthenticatorCoordinator::" fmt, this, PAGE_ID, FRAME_ID, ##__VA_ARGS__)
+#define WEBAUTHN_RELEASE_LOG_ERROR_NO_FRAME(fmt, ...) RELEASE_LOG_ERROR(WebAuthn, "%p - [webPageID=%" PRIu64 "] WebAuthenticatorCoordinator::" fmt, this, PAGE_ID, ##__VA_ARGS__)
+
namespace WebKit {
using namespace WebCore;
@@ -79,8 +85,11 @@
return;
}
- if (!isWebBrowser())
+ if (!isWebBrowser()) {
+ WEBAUTHN_RELEASE_LOG_ERROR("makeCredential: The 'navigator.credentials.create' API is only permitted in applications with the 'com.apple.developer.web-browser' entitlement.");
+ handler({ }, static_cast<AuthenticatorAttachment>(0), ExceptionData { NotAllowedError, "The 'navigator.credentials.create' API is only permitted in applications with the 'com.apple.developer.web-browser' entitlement." });
return;
+ }
WebProcess::singleton().ensureWebAuthnProcessConnection().connection().sendWithAsyncReply(Messages::WebAuthnConnectionToWebProcess::MakeCredential(hash, options, isProcessingUserGesture), WTFMove(handler));
}
@@ -101,8 +110,11 @@
return;
}
- if (!isWebBrowser())
+ if (!isWebBrowser()) {
+ WEBAUTHN_RELEASE_LOG_ERROR("getAssertion: The 'navigator.credentials.get' API is only permitted in applications with the 'com.apple.developer.web-browser' entitlement.");
+ handler({ }, static_cast<AuthenticatorAttachment>(0), ExceptionData { NotAllowedError, "The 'navigator.credentials.get' API is only permitted in applications with the 'com.apple.developer.web-browser' entitlement." });
return;
+ }
WebProcess::singleton().ensureWebAuthnProcessConnection().connection().sendWithAsyncReply(Messages::WebAuthnConnectionToWebProcess::GetAssertion(hash, options, isProcessingUserGesture), WTFMove(handler));
}
@@ -118,8 +130,11 @@
return;
}
- if (!isWebBrowser())
+ if (!isWebBrowser()) {
+ WEBAUTHN_RELEASE_LOG_ERROR_NO_FRAME("isUserVerifyingPlatformAuthenticatorAvailable: WebAuthn is only permitted in applications with the 'com.apple.developer.web-browser' entitlement.");
+ handler(false);
return;
+ }
WebProcess::singleton().ensureWebAuthnProcessConnection().connection().sendWithAsyncReply(Messages::WebAuthnConnectionToWebProcess::IsUserVerifyingPlatformAuthenticatorAvailable(), WTFMove(handler));
}
@@ -139,4 +154,9 @@
} // namespace WebKit
+#undef WEBAUTHN_RELEASE_LOG_ERROR_NO_FRAME
+#undef WEBAUTHN_RELEASE_LOG_ERROR
+#undef FRAME_ID
+#undef PAGE_ID
+
#endif // ENABLE(WEB_AUTHN)
