GithubHelp home page GithubHelp logo

Comments (11)

frankh avatar frankh commented on May 29, 2024 1

Can confirm github works too

(this is good for me upping all my security πŸ˜„ )

from kr-u2f.

agrinman avatar agrinman commented on May 29, 2024

@frankh what site is this for? I thought chrome dropped support for the token binding standard anyways..?

from kr-u2f.

frankh avatar frankh commented on May 29, 2024

I've done some more research and it seems that token-binding is not supported anywhere

It's a private project that's requiring this flag, i'll bug them to remove the requirement.

from kr-u2f.

frankh avatar frankh commented on May 29, 2024

Actually, it does look like this is a bug

According to the spec[1], the only valid values for this field are "supported" and "present" - so "not-supported" causes it to be rejected, but skipping the field entirely works.

I think the fix is to simply remove the field from the clientData here

kr-u2f/src/background.ts

Line 164 in f9599d4

tokenBinding: {

[1] https://www.w3.org/TR/webauthn/#dom-collectedclientdata-tokenbinding

from kr-u2f.

frankh avatar frankh commented on May 29, 2024

Created a PR here #30

from kr-u2f.

frankh avatar frankh commented on May 29, 2024

It seems this was valid at some point, but is no longer, see: w3c/webauthn#914

from kr-u2f.

agrinman avatar agrinman commented on May 29, 2024

While the PR looks good wrt to the spec, I wonder if this will break other sites that maybe also don’t realize this spec change (especially sites that support U2F only). Have you tested this change with sites like Google, Dropbox, etc...?

from kr-u2f.

frankh avatar frankh commented on May 29, 2024

I just tested with Google and Dropbox and can confirm they still work. It also seems that my Yubikey 5C doesn't send this field in clientData, so anything that supports that should work with this change

from kr-u2f.

agrinman avatar agrinman commented on May 29, 2024

Hm I would also test with a site that is U2F only i.e maybe GitHub & GitLab (Google and Dropbox both are webauthn). Might need to set/send the field differently based upon the protocol but I'm not sure.

from kr-u2f.

frankh avatar frankh commented on May 29, 2024

hi, just wondering if you're considering merging this?

from kr-u2f.

agrinman avatar agrinman commented on May 29, 2024

Sorry for the delay, I had merged this a little while back.

from kr-u2f.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.