content/browser/webauth/webauth_request_security_checker.h - chromium/src.git - Git at Google

 // Copyright 2020 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef CONTENT_BROWSER_WEBAUTH_WEBAUTH_REQUEST_SECURITY_CHECKER_H_
 #define CONTENT_BROWSER_WEBAUTH_WEBAUTH_REQUEST_SECURITY_CHECKER_H_

 #include <string>

 #include "base/memory/ref_counted.h"
 #include "base/optional.h"
 #include "content/common/content_export.h"
 #include "third_party/blink/public/mojom/webauthn/authenticator.mojom.h"

 namespace url {
 class Origin;
 }

 namespace content {

 class RenderFrameHost;

 // The following enums correspond to UMA histograms and should not be
 // reassigned.
 enum class RelyingPartySecurityCheckFailure {
   kOpaqueOrNonSecureOrigin = 0,
   kRelyingPartyIdInvalid = 1,
   kAppIdExtensionInvalid = 2,
   kAppIdExtensionDomainMismatch = 3,
   kIconUrlInvalid = 4,
   kCrossOriginMismatch = 5,
   kMaxValue = kCrossOriginMismatch,
 };

 // A centralized class for enforcing security policies that apply to
 // Web Authentication requests to create credentials or get authentication
 // assertions. For security reasons it is important that these checks are
 // performed in the browser process, and this makes the verification code
 // available to both the desktop and Android implementations of the
 // |Authenticator| mojom interface.
 class CONTENT_EXPORT WebAuthRequestSecurityChecker
     : public base::RefCounted<WebAuthRequestSecurityChecker> {
  public:
   explicit WebAuthRequestSecurityChecker(RenderFrameHost* host);
   WebAuthRequestSecurityChecker(const WebAuthRequestSecurityChecker&) = delete;

   WebAuthRequestSecurityChecker& operator=(
       const WebAuthRequestSecurityChecker&) = delete;

   static void ReportSecurityCheckFailure(
       RelyingPartySecurityCheckFailure error);
   static bool OriginIsCryptoTokenExtension(const url::Origin& origin);

   // Returns blink::mojom::AuthenticatorStatus::SUCCESS if |origin| is
   // same-origin with all ancestors in the frame tree, or else if
   // requests from cross-origin embeddings are allowed by policy.
   // Returns blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR otherwise.
   // |is_cross_origin| is an output parameter that is set to true if there is
   // a cross-origin embedding, regardless of policy, and false otherwise.
   blink::mojom::AuthenticatorStatus ValidateAncestorOrigins(
       const url::Origin& origin,
       bool* is_cross_origin);

   // Returns AuthenticatorStatus::SUCCESS if the origin domain is valid under
   // the referenced definitions, and also the requested RP ID is a registrable
   // domain suffix of, or is equal to, the origin's effective domain.
   // References:
   //   https://url.spec.whatwg.org/#valid-domain-string
   //   https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain
   //   https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to
   blink::mojom::AuthenticatorStatus ValidateDomainAndRelyingPartyID(
       const url::Origin& caller_origin,
       const std::string& relying_party_id);

   // Checks whether a given URL is an a-priori authenticated URL.
   // https://w3c.github.io/webappsec-credential-management/#dom-credentialuserdata-iconurl
   blink::mojom::AuthenticatorStatus ValidateAPrioriAuthenticatedUrl(
       const GURL& url);

  protected:
   friend class RefCounted<WebAuthRequestSecurityChecker>;
   virtual ~WebAuthRequestSecurityChecker();

  private:
   // Returns whether the frame indicated by |host| is same-origin with its
   // entire ancestor chain. |origin| is the origin of the frame being checked.
   bool IsSameOriginWithAncestors(const url::Origin& origin);

   RenderFrameHost* render_frame_host_;
 };

 }  // namespace content

 #endif  // CONTENT_BROWSER_WEBAUTH_WEBAUTH_REQUEST_SECURITY_CHECKER_H_
	// Copyright 2020 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef CONTENT_BROWSER_WEBAUTH_WEBAUTH_REQUEST_SECURITY_CHECKER_H_
	#define CONTENT_BROWSER_WEBAUTH_WEBAUTH_REQUEST_SECURITY_CHECKER_H_

	#include <string>

	#include "base/memory/ref_counted.h"
	#include "base/optional.h"
	#include "content/common/content_export.h"
	#include "third_party/blink/public/mojom/webauthn/authenticator.mojom.h"

	namespace url {
	class Origin;
	}

	namespace content {

	class RenderFrameHost;

	// The following enums correspond to UMA histograms and should not be
	// reassigned.
	enum class RelyingPartySecurityCheckFailure {
	kOpaqueOrNonSecureOrigin = 0,
	kRelyingPartyIdInvalid = 1,
	kAppIdExtensionInvalid = 2,
	kAppIdExtensionDomainMismatch = 3,
	kIconUrlInvalid = 4,
	kCrossOriginMismatch = 5,
	kMaxValue = kCrossOriginMismatch,
	};

	// A centralized class for enforcing security policies that apply to
	// Web Authentication requests to create credentials or get authentication
	// assertions. For security reasons it is important that these checks are
	// performed in the browser process, and this makes the verification code
	// available to both the desktop and Android implementations of the
	// \|Authenticator\| mojom interface.
	class CONTENT_EXPORT WebAuthRequestSecurityChecker
	: public base::RefCounted<WebAuthRequestSecurityChecker> {
	public:
	explicit WebAuthRequestSecurityChecker(RenderFrameHost* host);
	WebAuthRequestSecurityChecker(const WebAuthRequestSecurityChecker&) = delete;

	WebAuthRequestSecurityChecker& operator=(
	const WebAuthRequestSecurityChecker&) = delete;

	static void ReportSecurityCheckFailure(
	RelyingPartySecurityCheckFailure error);
	static bool OriginIsCryptoTokenExtension(const url::Origin& origin);

	// Returns blink::mojom::AuthenticatorStatus::SUCCESS if \|origin\| is
	// same-origin with all ancestors in the frame tree, or else if
	// requests from cross-origin embeddings are allowed by policy.
	// Returns blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR otherwise.
	// \|is_cross_origin\| is an output parameter that is set to true if there is
	// a cross-origin embedding, regardless of policy, and false otherwise.
	blink::mojom::AuthenticatorStatus ValidateAncestorOrigins(
	const url::Origin& origin,
	bool* is_cross_origin);

	// Returns AuthenticatorStatus::SUCCESS if the origin domain is valid under
	// the referenced definitions, and also the requested RP ID is a registrable
	// domain suffix of, or is equal to, the origin's effective domain.
	// References:
	// https://url.spec.whatwg.org/#valid-domain-string
	// https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain
	// https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to
	blink::mojom::AuthenticatorStatus ValidateDomainAndRelyingPartyID(
	const url::Origin& caller_origin,
	const std::string& relying_party_id);

	// Checks whether a given URL is an a-priori authenticated URL.
	// https://w3c.github.io/webappsec-credential-management/#dom-credentialuserdata-iconurl
	blink::mojom::AuthenticatorStatus ValidateAPrioriAuthenticatedUrl(
	const GURL& url);

	protected:
	friend class RefCounted<WebAuthRequestSecurityChecker>;
	virtual ~WebAuthRequestSecurityChecker();

	private:
	// Returns whether the frame indicated by \|host\| is same-origin with its
	// entire ancestor chain. \|origin\| is the origin of the frame being checked.
	bool IsSameOriginWithAncestors(const url::Origin& origin);

	RenderFrameHost* render_frame_host_;
	};

	} // namespace content

	#endif // CONTENT_BROWSER_WEBAUTH_WEBAUTH_REQUEST_SECURITY_CHECKER_H_