Merge pull request #336 from Yubico/origin-error-message

Refer to RelyingParty.origins setting in origin mismatch error message
Yubico · Nov 27, 2023 · a83ccc5 · a83ccc5 · github-actions · Nov 27, 2023
2 parents 72b84fb + fadd7ab
commit a83ccc5
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java
@@ -400,7 +400,8 @@ public void validate() {
       final String responseOrigin = response.getResponse().getClientData().getOrigin();
       assertTrue(
           OriginMatcher.isAllowed(responseOrigin, origins, allowOriginPort, allowOriginSubdomain),
-          "Incorrect origin: " + responseOrigin);
+          "Incorrect origin, please see the RelyingParty.origins setting: %s",
+          responseOrigin);
     }
 
     @Override

diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java
@@ -215,7 +215,8 @@ public void validate() {
       final String responseOrigin = clientData.getOrigin();
       assertTrue(
           OriginMatcher.isAllowed(responseOrigin, origins, allowOriginPort, allowOriginSubdomain),
-          "Incorrect origin: " + responseOrigin);
+          "Incorrect origin, please see the RelyingParty.origins setting: %s",
+          responseOrigin);
     }
 
     @Override

diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java
@@ -281,6 +281,11 @@ public class RelyingParty {
    * If <code>true</code>, the origin matching rule is relaxed to allow any subdomain, of any depth,
    * of the values of {@link RelyingPartyBuilder#origins(Set) origins}.
    *
+   * <p>Please see <a
+   * href="https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#sctn-code-injection">Security
+   * Considerations: Code injection attacks</a> for discussion of the risks in setting this to
+   * <code>true</code>.
+   *
    * <p>The default is <code>false</code>.
    *
    * <p>Examples with <code>origins: ["https://example.org", "https://acme.com:8443"]</code>
@@ -315,6 +320,9 @@ public class RelyingParty {
    *         <li><code>https://acme.com</code>
    *       </ul>
    * </ul>
+   *
+   * @see <a href="https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#sctn-code-injection">§13.4.8.
+   *     Code injection attacks</a>
    */
   @Builder.Default private final boolean allowOriginSubdomain = false;
Package	Coverage	Stats	Prev	Prev
Overall	82 % 🔹	1362 🔻 / 1656 🔹	82 %	1365 / 1656
`com.yubico.fido.metadata`	69 % 🔻	223 🔻 / 323 🔹	69 %	225 / 323
`com.yubico.internal.util`	46 % 🔹	57 🔹 / 123 🔹	46 %	57 / 123
`com.yubico.webauthn`	89 % 🔹	642 🔹 / 720 🔹	89 %	642 / 720
`com.yubico.webauthn.attestation`	92 % 🔹	13 🔹 / 14 🔹	92 %	13 / 14
`com.yubico.webauthn.data`	93 % 🔹	402 🔻 / 429 🔹	93 %	403 / 429
`com.yubico.webauthn.extension.appid`	100 % 🏆	13 🔹 / 13 🔹	100 %	13 / 13
`com.yubico.webauthn.extension.uvm`	50 % 🔹	12 🔹 / 24 🔹	50 %	12 / 24
`com.yubico.webauthn.meta`	0 % 🔹	0 🔹 / 10 🔹	0 %	0 / 10