remoteDesktopClientOverrideJSON Extension #2375
Conversation
akshayku
requested review from
emlun,
kreichgauer,
nsatragno,
timcappalli and
ve7jtb
| : Client extension input | ||
| :: <xmp class="idl"> | ||
| partial dictionary AuthenticationExtensionsClientInputs { | ||
| DOMString remoteClientDataJSON; |
There was a problem hiding this comment.
Is it not feasible to make remoteClientDataJSON a dictionary of the shape of CollectedClientData? It's not immediately clear what is gained from stringifying the JSON.
There was a problem hiding this comment.
Chromium adds an additional key to the CollectedClientData, to ensure websites validate the parsed JSON rather than compare it against a string template. https://chromium.googlesource.com/chromium/src/+/master/content/browser/webauth/client_data_json.md
| 1. JSON parse remoteClientDataJSON to construct |collectedClientData|. | ||
| 1. If there is error parsing remoteClientDataJSON: | ||
| 1. Return a {{DOMException}} whose name is “{{NotSupportedError}}”. | ||
| 1. Let |clientDataJSON| be equal to remoteClientDataJSON. |
There was a problem hiding this comment.
This step would happen to overwrite what the remote browser collects for origin, crossOrigin, topOrigin, etc... too. How concerned are we that this extension could be used maliciously in non-remote scenarios? This is essentially telling the browser "parrot back what the RP wants to see" which seems to dilute the value of the browser being an active participant in the ceremony when it creates clientDataJSON. Maybe I'm missing something, I reviewed #1577 today and couldn't quite understand the intended benefit here.
There was a problem hiding this comment.
But isn't the RP interested in those values from the remote authentication? The origin of the remote desktop client, and whether it was embedded into an iframe, shouldn't really be the RP's concern.
How concerned are we that this extension could be used maliciously in non-remote scenarios?
The extension gives essentially unrestricted access to WebAuthn credentials, by design. We would only allow this in very specific circumstances, e.g. if an enterprise admin with full control over the client device allow lists an individual origin to use it.
Closes #1577
Use Case:
Remote desktop web applications let users interact with the (native) desktop environment of a remote host from a local client (web) application.
A user may want to use a WebAuthn authenticator connected to their local client in order to sign into a website in a browser running on a remote host.
This is based on https://github.com/w3c/webauthn/wiki/Explainer:-Remote-Desktop-Support which is already present in some form in chromium code base.
Based on feedback and use case scenario, this proposal solves the double clientData calculation issue and returns remoteDesktopClientOrigin to the RP as part of client/Authenticator extension.
The following tasks have been completed:
Implementation commitment:
Documentation and checks
Preview | Diff