// Copyright 2020 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "content/browser/webauth/webauth_request_security_checker.h" #include <string_view> #include "base/feature_list.h" #include "base/logging.h" #include "base/metrics/histogram_macros.h" #include "base/strings/string_number_conversions.h" #include "content/browser/bad_message.h" #include "content/public/browser/content_browser_client.h" #include "content/public/browser/render_frame_host.h" #include "content/public/browser/webauthn_security_utils.h" #include "content/public/common/content_client.h" #include "content/public/common/content_features.h" #include "device/fido/features.h" #include "device/fido/fido_transport_protocol.h" #include "net/base/registry_controlled_domains/registry_controlled_domain.h" #include "net/base/url_util.h" #include "net/traffic_annotation/network_traffic_annotation.h" #include "services/data_decoder/public/cpp/data_decoder.h" #include "services/network/public/cpp/is_potentially_trustworthy.h" #include "services/network/public/cpp/resource_request.h" #include "services/network/public/cpp/shared_url_loader_factory.h" #include "services/network/public/cpp/simple_url_loader.h" #include "services/network/public/mojom/url_response_head.mojom.h" #include "third_party/blink/public/mojom/permissions_policy/permissions_policy_feature.mojom.h" #include "third_party/blink/public/mojom/webauthn/authenticator.mojom.h" #include "url/gurl.h" #include "url/origin.h" #include "url/url_util.h" #if !BUILDFLAG(IS_ANDROID) #include "content/public/browser/authenticator_request_client_delegate.h" #endif namespace content { static const net::NetworkTrafficAnnotationTag kRpIdCheckTrafficAnnotation = …; // kRpIdMaxBodyBytes is the maximum number of bytes that we'll download in order // to validate an RP ID. constexpr size_t kRpIdMaxBodyBytes = …; WebAuthRequestSecurityChecker::RemoteValidation::~RemoteValidation() = default; // static std::unique_ptr<WebAuthRequestSecurityChecker::RemoteValidation> WebAuthRequestSecurityChecker::RemoteValidation::Create( const url::Origin& caller_origin, const std::string& relying_party_id, base::OnceCallback<void(blink::mojom::AuthenticatorStatus)> callback) { … } // static blink::mojom::AuthenticatorStatus WebAuthRequestSecurityChecker::RemoteValidation::ValidateWellKnownJSON( const url::Origin& caller_origin, const base::Value& value) { … } WebAuthRequestSecurityChecker::RemoteValidation::RemoteValidation( const url::Origin& caller_origin, base::OnceCallback<void(blink::mojom::AuthenticatorStatus)> callback) : … { … } // OnFetchComplete is called when the `.well-known/webauthn` for an // RP ID has finished downloading. void WebAuthRequestSecurityChecker::RemoteValidation::OnFetchComplete( std::unique_ptr<std::string> body) { … } void WebAuthRequestSecurityChecker::RemoteValidation::OnDecodeComplete( base::expected<base::Value, std::string> maybe_value) { … } WebAuthRequestSecurityChecker::WebAuthRequestSecurityChecker( RenderFrameHost* host) : … { … } WebAuthRequestSecurityChecker::~WebAuthRequestSecurityChecker() = default; bool WebAuthRequestSecurityChecker::IsSameOriginWithAncestors( const url::Origin& origin) { … } blink::mojom::AuthenticatorStatus WebAuthRequestSecurityChecker::ValidateAncestorOrigins( const url::Origin& origin, RequestType type, bool* is_cross_origin) { … } std::unique_ptr<WebAuthRequestSecurityChecker::RemoteValidation> WebAuthRequestSecurityChecker::ValidateDomainAndRelyingPartyID( const url::Origin& caller_origin, const std::string& relying_party_id, RequestType request_type, const blink::mojom::RemoteDesktopClientOverridePtr& remote_desktop_client_override, base::OnceCallback<void(blink::mojom::AuthenticatorStatus)> callback) { … } blink::mojom::AuthenticatorStatus WebAuthRequestSecurityChecker::ValidateAppIdExtension( std::string appid, url::Origin caller_origin, const blink::mojom::RemoteDesktopClientOverridePtr& remote_desktop_client_override, std::string* out_appid) { … } bool WebAuthRequestSecurityChecker:: DeduplicateCredentialDescriptorListAndValidateLength( std::vector<device::PublicKeyCredentialDescriptor>* list) { … } } // namespace content
Codebase Browser
chromium