Fix the ability to fake same-origin in passkeys (#2849)

This commit is contained in:
Aleksandr Kolbasov 2026-02-05 11:58:48 +03:00 committed by GitHub
parent f66bf40287
commit 8b71dbc30f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 10 additions and 14 deletions

View file

@ -63,6 +63,14 @@ const enablePasskeys = async function() {
}
};
const isSameOriginWithAncestors = function () {
try {
return window.origin === window.top.origin;
} catch (_err) {
return false;
}
};
document.addEventListener('kpxc-passkeys-request', async (ev) => {
if (!window.isSecureContext) {
kpxcUI.createNotification('error', tr('errorMessagePasskeysContextIsNotSecure'));
@ -72,14 +80,14 @@ const enablePasskeys = async function() {
if (ev.detail.action === 'passkeys_create') {
const publicKey = kpxcPasskeysUtils.buildCredentialCreationOptions(
ev.detail.publicKey,
ev.detail.sameOriginWithAncestors,
isSameOriginWithAncestors(),
);
passkeysLogDebug('Passkey request', publicKey);
await sendResponse('passkeys_register', publicKey);
} else if (ev.detail.action === 'passkeys_get') {
const publicKey = kpxcPasskeysUtils.buildCredentialRequestOptions(
ev.detail.publicKey,
ev.detail.sameOriginWithAncestors,
isSameOriginWithAncestors(),
);
passkeysLogDebug('Passkey request', publicKey);
await sendResponse('passkeys_get', publicKey);

View file

@ -137,14 +137,6 @@
});
};
const isSameOriginWithAncestors = function() {
try {
return window.self.origin === window.top.origin;
} catch (_err) {
return false;
}
};
// Throws errors to a correct exceptions
const throwError = function(errorCode, errorMessage) {
if ((!errorCode && !errorMessage) || errorCode === PASSKEYS_REQUEST_CANCELED) {
@ -193,11 +185,9 @@
return null;
}
const sameOriginWithAncestors = isSameOriginWithAncestors();
const response = await postMessageToExtension({
action: 'passkeys_create',
publicKey: options.publicKey,
sameOriginWithAncestors: sameOriginWithAncestors,
});
if (!response.publicKey) {
@ -218,11 +208,9 @@
return originalCredentials.get(options);
}
const sameOriginWithAncestors = isSameOriginWithAncestors();
const response = await postMessageToExtension({
action: 'passkeys_get',
publicKey: options.publicKey,
sameOriginWithAncestors: sameOriginWithAncestors,
});
if (!response.publicKey) {