From 20fddc91fa1e637b16aad820462eb0d426f5ed7b Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Mon, 27 Nov 2023 16:00:41 +0100
Subject: [PATCH 1/2] Refer to RelyingParty.origins setting in origin mismatch
 error message

---
 .../main/java/com/yubico/webauthn/FinishAssertionSteps.java    | 3 ++-
 .../main/java/com/yubico/webauthn/FinishRegistrationSteps.java | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java
index 117cb17c1..ea01a9da1 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java
@@ -400,7 +400,8 @@ public void validate() {
       final String responseOrigin = response.getResponse().getClientData().getOrigin();
       assertTrue(
           OriginMatcher.isAllowed(responseOrigin, origins, allowOriginPort, allowOriginSubdomain),
-          "Incorrect origin: " + responseOrigin);
+          "Incorrect origin, please see the RelyingParty.origins setting: %s",
+          responseOrigin);
     }
 
     @Override
diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java
index a7ba81d89..58ce2d6dc 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java
@@ -215,7 +215,8 @@ public void validate() {
       final String responseOrigin = clientData.getOrigin();
       assertTrue(
           OriginMatcher.isAllowed(responseOrigin, origins, allowOriginPort, allowOriginSubdomain),
-          "Incorrect origin: " + responseOrigin);
+          "Incorrect origin, please see the RelyingParty.origins setting: %s",
+          responseOrigin);
     }
 
     @Override

From fadd7ababa630fb5c60ebea9436c2750388215a3 Mon Sep 17 00:00:00 2001
From: Emil Lundberg <emil@yubico.com>
Date: Mon, 27 Nov 2023 16:01:03 +0100
Subject: [PATCH 2/2] Refer to code injections security consideration in
 allowOriginSubdomain JavaDoc

---
 .../src/main/java/com/yubico/webauthn/RelyingParty.java   | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java b/webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java
index 52bb2528a..f8e588eb6 100644
--- a/webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java
+++ b/webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java
@@ -281,6 +281,11 @@ public class RelyingParty {
    * If <code>true</code>, the origin matching rule is relaxed to allow any subdomain, of any depth,
    * of the values of {@link RelyingPartyBuilder#origins(Set) origins}.
    *
+   * <p>Please see <a
+   * href="https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#sctn-code-injection">Security
+   * Considerations: Code injection attacks</a> for discussion of the risks in setting this to
+   * <code>true</code>.
+   *
    * <p>The default is <code>false</code>.
    *
    * <p>Examples with <code>origins: ["https://example.org", "https://acme.com:8443"]</code>
@@ -315,6 +320,9 @@ public class RelyingParty {
    *         <li><code>https://acme.com</code>
    *       </ul>
    * </ul>
+   *
+   * @see <a href="https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#sctn-code-injection">§13.4.8.
+   *     Code injection attacks</a>
    */
   @Builder.Default private final boolean allowOriginSubdomain = false;