Bug 1945584 - Support well-known relaxations in FedCM - r=anti-tracking-reviewers,emz

Differential Revision: https://phabricator.services.mozilla.com/D244583

dom/credentialmanagement/identity/IdentityCredential.cpp

@@ -1219,6 +1219,19 @@ IdentityCredential::CheckRootManifest(nsIPrincipal* aPrincipal,
         NS_ERROR_INVALID_ARG, __func__);
   }
 
+  // We actually don't need to do any of this well-known stuff if the
+  // requesting principal is same-site to the manifest URI. There is no
+  // privacy risk in that case, because the requests could be sent with
+  // their unpartitioned cookies anyway.
+  if (!aPrincipal->GetIsNullPrincipal()) {
+    bool thirdParty = true;
+    rv = aPrincipal->IsThirdPartyURI(manifestURI, &thirdParty);
+    if (NS_SUCCEEDED(rv) && !thirdParty) {
+      return IdentityCredential::ValidationPromise::CreateAndResolve(true,
+                                                                     __func__);
+    }
+  }
+
   return IdentityNetworkHelpers::FetchWellKnownHelper(manifestURI, aPrincipal)
       ->Then(
           GetCurrentSerialEventTarget(), __func__,

dom/credentialmanagement/identity/tests/mochitest/head.js

@@ -5,11 +5,10 @@
 
 "use strict";
 
-var idp_host = "https://example.net";
-var test_path = "/tests/dom/credentialmanagement/identity/tests/mochitest";
-var idp_api = idp_host + test_path;
+let test_path = "/tests/dom/credentialmanagement/identity/tests/mochitest";
 
-async function setupTest(testName) {
+async function setupTest(testName, idp_origin = "https://example.net") {
+  let idp_api = idp_origin + test_path;
   ok(
     window.location.pathname.includes(testName),
     `Must set the right test name when setting up. Test name "${testName}" must be in URL path "${window.location.pathname}"`

dom/credentialmanagement/identity/tests/mochitest/mochitest.toml

@@ -21,6 +21,7 @@ support-files = [
   "/.well-known/web-identity",
   "/.well-known/web-identity^headers^",
   "server_manifest.sjs",
+  "server_manifest_same_site.sjs",
   "server_manifest_wrong_provider_in_manifest.sjs",
   "server_simple_accounts.sjs",
   "server_simple_idtoken.sjs",
@@ -54,6 +55,8 @@ support-files = [
 
 ["test_idtoken_redirect.html"]
 
+["test_manifest_same_site_ignores_well_known.html"]
+
 ["test_mediation.html"]
 
 ["test_no_accounts.html"]

dom/credentialmanagement/identity/tests/mochitest/server_manifest_same_site.sjs

@@ -0,0 +1,43 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/
+ */
+
+function handleRequest(request, response) {
+  let params = new URLSearchParams(request.queryString);
+  let test = params.get("set_test");
+  if (test === null) {
+    test = getState("test");
+  } else {
+    setState("test", test);
+    response.setHeader("Access-Control-Allow-Origin", "*");
+    response.setStatusLine(request.httpVersion, 200, "OK");
+    return;
+  }
+
+  if (request.hasHeader("Cookie")) {
+    response.setStatusLine(request.httpVersion, 400, "Bad Request");
+    return;
+  }
+  if (request.hasHeader("Origin") && request.getHeader("Origin") != "null") {
+    response.setStatusLine(request.httpVersion, 400, "Bad Request");
+    return;
+  }
+  if (request.hasHeader("Referer")) {
+    response.setStatusLine(request.httpVersion, 400, "Bad Request");
+    return;
+  }
+
+  response.setHeader("Access-Control-Allow-Origin", "*");
+  response.setHeader("Content-Type", "application/json");
+  let content = {
+    accounts_endpoint:
+      "https://test1.example.com/tests/dom/credentialmanagement/identity/tests/mochitest/server_simple_accounts.sjs",
+    client_metadata_endpoint:
+      "https://test1.example.com/tests/dom/credentialmanagement/identity/tests/mochitest/server_metadata.json",
+    id_assertion_endpoint:
+      "https://test1.example.com/tests/dom/credentialmanagement/identity/tests/mochitest/server_simple_idtoken.sjs",
+  };
+  let body = JSON.stringify(content);
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  response.write(body);
+}

dom/credentialmanagement/identity/tests/mochitest/test_manifest_same_site_ignores_well_known.html

@@ -0,0 +1,46 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>SameSite ignores well-known Test</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script src="head.js"></script>
+  <link rel="stylesheet" href="/tests/SimpleTest/test.css"/>
+  <script>
+    SimpleTest.waitForExplicitFinish();
+    setupTest("same_site_ignores_well_known", "https://test1.example.com").then(
+      function () {
+        return navigator.credentials.get({
+          identity: {
+            providers: [{
+              configURL: "https://test1.example.com/tests/dom/credentialmanagement/identity/tests/mochitest/server_manifest_same_site.sjs",
+              clientId: "mochitest",
+              nonce: "nonce"
+            }]
+          }
+        });
+      }
+    ).then((cred) => {
+      ok(true, "successfully got a credential");
+      is(cred.token,
+        "account_id=1234&client_id=mochitest&nonce=nonce&disclosure_text_shown=false&is_auto_selected=false",
+        "Correct token on the credential.");
+      is(cred.id,
+        "1234",
+        "Correct id on the credential");
+      is(cred.type,
+        "identity",
+        "Correct type on the credential");
+    }).catch(() => {
+      ok(false, "must not have an error");
+    }).finally(() => {
+      SimpleTest.finish();
+    })
+  </script>
+</head>
+<body>
+<p id="display"></p>
+<div id="content" style="display: none">This test makes sure that if we use an IDP that is same-site to the RP, we don't check the well-known constraints. If we checked them, this FedCM flow would not succeeed because the manifest for `https://test1.example.com` does not have the right configURL to match the argument here.</div>
+<pre id="test"></pre>
+</body>
+</html>