Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

using host(port included) instead of the current origin to avoid possible security issue #215

Closed
yorkie opened this issue Feb 17, 2022 · 6 comments
Closed

using host(port included) instead of the current origin to avoid possible security issue #215

yorkie opened this issue Feb 17, 2022 · 6 comments

Comments

@yorkie
Copy link

yorkie commented Feb 17, 2022
edited

Background

I'm working on addressing an authentication issue about a WebADB library, which fails to authenticate when the website port has been changed, this is because the library uses localStorage to save the ADB cert and key to match with the device, however, the localStorage could not be shared between different ports(domains). In other words, this might be an inconsistent behavior between the localStorage and WebUSB.

Implementations

I have browsed some of the chromium source code, see the UsbChooserContext:: HasDevicePermission method, it uses the origin namely hostname, rather than the host(port not included).

Proposal

This spec doesn't specify how the UA should implement this part, if this proposal looks good to you guys, I can add some related.
@reillyeon
Copy link
Collaborator

An origin actually does consider both the host and port. See the definition from the HTML specification here: https://html.spec.whatwg.org/multipage/origin.html#concept-origin

Are you seeing different behavior in the Chromium implementation?

@yorkie
Copy link
Author

yorkie commented Feb 17, 2022

Weird a bit, location.origin returns hostname:port, however when I changed the port, the chrome chooser tells that it's paired, I will have a look later.

@reillyeon
Copy link
Collaborator

I don't think the window.location.origin attribute is writable (or at least, the browser ignores writes to it) so changing the port there won't change the security principle of the page.

@yorkie
Copy link
Author

yorkie commented Feb 17, 2022

@reillyeon I just use location.origin to verify if the origin contains the port part, and I won't change the port in that way, actually I did change the port by xxx start --port <port>.

@reillyeon
Copy link
Collaborator

I can't reproduce this behavior. The steps I tried:

  1. Launch a local web server on port 8000.
  2. Load http://localhost:8000.
  3. Call navigator.usb.requestDevice().
  4. Grant permission to a USB device.
  5. Switch the local web server to port 8080.
  6. Load http://localhost:8080.
  7. Call navigator.usb.requestDevice().
  8. Observe that the device is not marked as "Paired" and the device isn't listed in the set of site permissions when I click the lock icon. Checking chrome://settings/content/usbDevices also shows that http://localhost:8000 (with port) is listed as the site with permission to access the device.

@yorkie
Copy link
Author

yorkie commented Feb 18, 2022

You are right, closing this issue :)

@yorkie yorkie closed this as completed Feb 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@reillyeon @yorkie