Skip to content
3 changes: 3 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,9 @@ WebAuthn.configure do |config|
# When operating within iframes or embedded contexts, you may need to restrict
# which top-level origins are permitted to host WebAuthn ceremonies.
#
# To enable this check, set the following configuration (disabled by default):
# config.verify_top_origin = false
Comment thread
santiagorodriguez96 marked this conversation as resolved.
Outdated
#
Comment thread
santiagorodriguez96 marked this conversation as resolved.
Outdated
# Each entry in this list must match the `topOrigin` reported by the browser
# during registration and authentication.
#
Expand Down
2 changes: 1 addition & 1 deletion lib/webauthn/authenticator_response.rb
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ def type
end

def needs_top_origin_verification?
client_data.cross_origin || client_data.top_origin
relying_party.verify_top_origin && (client_data.cross_origin || client_data.top_origin)
end
end
end
2 changes: 2 additions & 0 deletions lib/webauthn/configuration.rb
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ class Configuration
:allowed_top_origins=,
:verify_attestation_statement,
:verify_attestation_statement=,
:verify_top_origin,
:verify_top_origin=,
:credential_options_timeout,
:credential_options_timeout=,
:silent_authentication,
Expand Down
3 changes: 3 additions & 0 deletions lib/webauthn/relying_party.rb
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ def initialize(
id: nil,
name: nil,
verify_attestation_statement: true,
verify_top_origin: false,
credential_options_timeout: 120000,
silent_authentication: false,
acceptable_attestation_types: ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA', 'AnonCA'],
Expand All @@ -37,6 +38,7 @@ def initialize(
@id = id
@name = name
@verify_attestation_statement = verify_attestation_statement
@verify_top_origin = verify_top_origin
@credential_options_timeout = credential_options_timeout
@silent_authentication = silent_authentication
@acceptable_attestation_types = acceptable_attestation_types
Expand All @@ -52,6 +54,7 @@ def initialize(
:id,
:name,
:verify_attestation_statement,
:verify_top_origin,
:credential_options_timeout,
:silent_authentication,
:acceptable_attestation_types,
Expand Down
Loading