#rpid — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #rpid, aggregated by home.social.
-
@ScottHelme wrote: "The change I referred to prevents arbitrary sibling/parent-domain abuse […]"
I'm not sure if you're referring to the possible match on
"evil-example.com" (see screenshot) in the old code, but if I remember correctly (from my analysis approx. 3 years ago), the client will only accept an exact match of "example.com" or
"<whatever_including_dots>.example.com".So albeit ugly, the old server code should not pose a risk I guess?
W.r.t. unexpected abuse of valid subdomains (*): my worry is that people will use your code for their site without modification, never considering the risk I described.
(*) Or malicious JS (3rd party or XSS) on the main domain - while WebAuthn handling was supposed to take place only on e.g. "login.example.com" (using a dedicated subdomain may be a good idea like Dirk Balfanz wrote).
Since your site appears to be using passkeys as an additional factor, the users of your site may not be at risk. However, the idea of passkeys was to "go passwordless", something that other users of your code will probably embrace.
I haven't scanned all of your code, but if not present, my advice is to at least add a warning for unexpected WebAuthn processing on a subdomain (or even the main domain).