feat: add verify_top_origin flag to enable/disable topOrigin validation

nicolastemciuc · nicolastemciuc · commit 75ceb1fd4523 · 2025-10-23T14:34:42.000-03:00
diff --git a/README.md b/README.md
@@ -107,6 +107,9 @@ WebAuthn.configure do |config|
   # When operating within iframes or embedded contexts, you may need to restrict
   # which top-level origins are permitted to host WebAuthn ceremonies.
   #
+  # To enable this check, set the following configuration (disabled by default):
+  # config.verify_top_origin = false
+  #
   # Each entry in this list must match the `topOrigin` reported by the browser
   # during registration and authentication.
   #
diff --git a/lib/webauthn/authenticator_response.rb b/lib/webauthn/authenticator_response.rb
@@ -131,7 +131,7 @@ def type
     end
 
     def needs_top_origin_verification?
-      client_data.cross_origin || client_data.top_origin
+      relying_party.verify_top_origin && (client_data.cross_origin || client_data.top_origin)
     end
   end
 end
diff --git a/lib/webauthn/configuration.rb b/lib/webauthn/configuration.rb
@@ -28,6 +28,8 @@ class Configuration
                    :allowed_top_origins=,
                    :verify_attestation_statement,
                    :verify_attestation_statement=,
+                   :verify_top_origin,
+                   :verify_top_origin=,
                    :credential_options_timeout,
                    :credential_options_timeout=,
                    :silent_authentication,
diff --git a/lib/webauthn/relying_party.rb b/lib/webauthn/relying_party.rb
@@ -24,6 +24,7 @@ def initialize(
       id: nil,
       name: nil,
       verify_attestation_statement: true,
+      verify_top_origin: false,
       credential_options_timeout: 120000,
       silent_authentication: false,
       acceptable_attestation_types: ['None', 'Self', 'Basic', 'AttCA', 'Basic_or_AttCA', 'AnonCA'],
@@ -37,6 +38,7 @@ def initialize(
       @id = id
       @name = name
       @verify_attestation_statement = verify_attestation_statement
+      @verify_top_origin = verify_top_origin
       @credential_options_timeout = credential_options_timeout
       @silent_authentication = silent_authentication
       @acceptable_attestation_types = acceptable_attestation_types
@@ -52,6 +54,7 @@ def initialize(
                   :id,
                   :name,
                   :verify_attestation_statement,
+                  :verify_top_origin,
                   :credential_options_timeout,
                   :silent_authentication,
                   :acceptable_attestation_types,
diff --git a/spec/webauthn/authenticator_assertion_response_spec.rb b/spec/webauthn/authenticator_assertion_response_spec.rb
diff --git a/spec/webauthn/authenticator_attestation_response_spec.rb b/spec/webauthn/authenticator_attestation_response_spec.rb

Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,9 @@ WebAuthn.configure do \|config\|`
`107`	`107`	`# When operating within iframes or embedded contexts, you may need to restrict`
`108`	`108`	`# which top-level origins are permitted to host WebAuthn ceremonies.`
`109`	`109`	`#`
	`110`	`+ # To enable this check, set the following configuration (disabled by default):`
	`111`	`+ # config.verify_top_origin = false`
	`112`	`+ #`
`110`	`113`	# Each entry in this list must match the `topOrigin` reported by the browser
`111`	`114`	`# during registration and authentication.`
`112`	`115`	`#`