From 8b71dbc30fd8390d7239bdc65fab0efd03ecb5a1 Mon Sep 17 00:00:00 2001 From: Aleksandr Kolbasov Date: Thu, 5 Feb 2026 11:58:48 +0300 Subject: [PATCH] Fix the ability to fake same-origin in passkeys (#2849) --- keepassxc-browser/content/passkeys-inject.js | 12 ++++++++++-- keepassxc-browser/content/passkeys.js | 12 ------------ 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/keepassxc-browser/content/passkeys-inject.js b/keepassxc-browser/content/passkeys-inject.js index 37587e5..3ffb1fb 100644 --- a/keepassxc-browser/content/passkeys-inject.js +++ b/keepassxc-browser/content/passkeys-inject.js @@ -63,6 +63,14 @@ const enablePasskeys = async function() { } }; + const isSameOriginWithAncestors = function () { + try { + return window.origin === window.top.origin; + } catch (_err) { + return false; + } + }; + document.addEventListener('kpxc-passkeys-request', async (ev) => { if (!window.isSecureContext) { kpxcUI.createNotification('error', tr('errorMessagePasskeysContextIsNotSecure')); @@ -72,14 +80,14 @@ const enablePasskeys = async function() { if (ev.detail.action === 'passkeys_create') { const publicKey = kpxcPasskeysUtils.buildCredentialCreationOptions( ev.detail.publicKey, - ev.detail.sameOriginWithAncestors, + isSameOriginWithAncestors(), ); passkeysLogDebug('Passkey request', publicKey); await sendResponse('passkeys_register', publicKey); } else if (ev.detail.action === 'passkeys_get') { const publicKey = kpxcPasskeysUtils.buildCredentialRequestOptions( ev.detail.publicKey, - ev.detail.sameOriginWithAncestors, + isSameOriginWithAncestors(), ); passkeysLogDebug('Passkey request', publicKey); await sendResponse('passkeys_get', publicKey); diff --git a/keepassxc-browser/content/passkeys.js b/keepassxc-browser/content/passkeys.js index e2e6217..8230b9a 100644 --- a/keepassxc-browser/content/passkeys.js +++ b/keepassxc-browser/content/passkeys.js @@ -137,14 +137,6 @@ }); }; - const isSameOriginWithAncestors = function() { - try { - return window.self.origin === window.top.origin; - } catch (_err) { - return false; - } - }; - // Throws errors to a correct exceptions const throwError = function(errorCode, errorMessage) { if ((!errorCode && !errorMessage) || errorCode === PASSKEYS_REQUEST_CANCELED) { @@ -193,11 +185,9 @@ return null; } - const sameOriginWithAncestors = isSameOriginWithAncestors(); const response = await postMessageToExtension({ action: 'passkeys_create', publicKey: options.publicKey, - sameOriginWithAncestors: sameOriginWithAncestors, }); if (!response.publicKey) { @@ -218,11 +208,9 @@ return originalCredentials.get(options); } - const sameOriginWithAncestors = isSameOriginWithAncestors(); const response = await postMessageToExtension({ action: 'passkeys_get', publicKey: options.publicKey, - sameOriginWithAncestors: sameOriginWithAncestors, }); if (!response.publicKey) {