Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CollectedClientData serialization is confusing WebIDL and/or Infra values for ECMAScript values #2056

Open
petervanderbeken opened this issue Apr 15, 2024 · 0 comments

Comments

@petervanderbeken
Copy link

petervanderbeken commented Apr 15, 2024

https://www.w3.org/TR/webauthn-3/#clientdatajson-serialization ends up calling ECMAScript operations on WebIDL and/or Infra values.

For example:

  1. Append CCDToString(type) to result.

Here type is a WebIDL value, of type DOMString. If we look at CCDToString it does:

  1. Invoke ToString on the given object to convert to a string.

Invoking ToString on a DOMString is not defined, it expects an ECMAScript value. This should probably use the Infra algorithm to serialize an Infra value to JSON bytes.

Another example is step 14.1:

  1. Invoke serialize JSON to bytes on the temporary copy to produce a byte string remainder.

The temporary copy is created in step 12:

  1. Create a temporary copy of the CollectedClientData and remove the fields type, challenge, origin, crossOrigin (if present), and topOrigin (if present).

Nothing really defines how that should work I think, it would be clearer if it used Infra operations like https://infra.spec.whatwg.org/#map-clone and https://infra.spec.whatwg.org/#map-remove on the WebIDL dictionary (which is an ordered map). It can then again use the Infra algorithms to convert the map (as opposed to a JavaScript value) to JSON.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants