From fec79bd047f7e3c1f83120f0b27ffe10521c13d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicol=C3=A1s=20Pe=C3=B1a?= Date: Thu, 21 Mar 2024 08:04:25 -0700 Subject: [PATCH] Revert "[FedCM] Enable CORS in ID assertion endpoint" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit b2cb1b55ae3c4f7b88a74a0ceb697646fde03a5b. Reason for revert: Causing issues to a real IDP Original change's description: > [FedCM] Enable CORS in ID assertion endpoint > > I2S: https://groups.google.com/a/chromium.org/g/blink-dev/c/gYoQJsaiD9E > > Bug: 40284123 > Change-Id: I61989f1e7a7578c2f59d87815e3ec2b51b7fc5be > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5370086 > Reviewed-by: Nasko Oskov > Reviewed-by: Christian Dullweber > Reviewed-by: Mathias Bynens > Commit-Queue: Nicolás Peña > Cr-Commit-Position: refs/heads/main@{#1274203} Bug: 40284123 Change-Id: I4a518b55396d5aba676f0a15c9a515451dc11e86 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5381316 Reviewed-by: Christian Biesinger Reviewed-by: Mathias Bynens Commit-Queue: Nicolás Peña Reviewed-by: Nasko Oskov Reviewed-by: Christian Dullweber Bot-Commit: Rubber Stamper Cr-Commit-Position: refs/heads/main@{#1276213} --- credential-management/support/fedcm/continue_on.py | 2 -- .../support/fedcm/request-params-check.py | 11 +++-------- .../support/fedcm/token_with_account_id.py | 2 -- .../support/fedcm/token_with_auto_selected_flag.py | 2 -- .../support/fedcm/token_with_http_error.py | 2 -- .../support/fedcm/token_with_rp_mode.py | 2 -- 6 files changed, 3 insertions(+), 18 deletions(-) diff --git a/credential-management/support/fedcm/continue_on.py b/credential-management/support/fedcm/continue_on.py index 2a580e0f3f4fd5..1b4831b51de7ee 100644 --- a/credential-management/support/fedcm/continue_on.py +++ b/credential-management/support/fedcm/continue_on.py @@ -7,8 +7,6 @@ def main(request, response): return request_error response.headers.set(b"Content-Type", b"application/json") - response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin")) - response.headers.set(b"Access-Control-Allow-Credentials", "true") account = request.POST.get(b"account_id").decode("utf-8") nonce = request.POST.get(b"nonce").decode("utf-8") diff --git a/credential-management/support/fedcm/request-params-check.py b/credential-management/support/fedcm/request-params-check.py index 08c28e32b7942d..6c610e6e201dd1 100644 --- a/credential-management/support/fedcm/request-params-check.py +++ b/credential-management/support/fedcm/request-params-check.py @@ -63,16 +63,12 @@ def accountsCheck(request): return (539, [], "Should not have Origin") def tokenCheck(request): - common_error = commonCheck(request, b"cors") + common_error = commonCheck(request) if (common_error): return common_error common_credentialed_error = commonCredentialedRequestCheck(request) if (common_credentialed_error): return common_credentialed_error - # The value of the Sec-Fetch-Site header can vary depending on the IdP origin - # but it should not be 'none'. - if request.headers.get(b"Sec-Fetch-Site") == b"none": - return (538, [], "Wrong Sec-Fetch-Site header") post_error = commonPostCheck(request) if (post_error): @@ -90,9 +86,8 @@ def revokeCheck(request): if (common_error): return common_error - common_credentialed_error = commonCredentialedRequestCheck(request) - if (common_credentialed_error): - return common_credentialed_error + if request.cookies.get(b"cookie") != b"1": + return (537, [], "Missing cookie") # The value of the Sec-Fetch-Site header can vary depending on the IdP origin # but it should not be 'none'. if request.headers.get(b"Sec-Fetch-Site") == b"none": diff --git a/credential-management/support/fedcm/token_with_account_id.py b/credential-management/support/fedcm/token_with_account_id.py index 04e7b5b56b9e56..52fb20184bc081 100644 --- a/credential-management/support/fedcm/token_with_account_id.py +++ b/credential-management/support/fedcm/token_with_account_id.py @@ -7,8 +7,6 @@ def main(request, response): return request_error response.headers.set(b"Content-Type", b"application/json") - response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin")) - response.headers.set(b"Access-Control-Allow-Credentials", "true") account_id = request.POST.get(b"account_id") return "{\"token\": \"account_id=" + account_id.decode("utf-8") + "\"}" diff --git a/credential-management/support/fedcm/token_with_auto_selected_flag.py b/credential-management/support/fedcm/token_with_auto_selected_flag.py index 3e011ce788c88a..93ccf3ee7e2277 100644 --- a/credential-management/support/fedcm/token_with_auto_selected_flag.py +++ b/credential-management/support/fedcm/token_with_auto_selected_flag.py @@ -7,8 +7,6 @@ def main(request, response): return request_error response.headers.set(b"Content-Type", b"application/json") - response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin")) - response.headers.set(b"Access-Control-Allow-Credentials", "true") is_auto_selected = request.POST.get(b"is_auto_selected") return "{\"token\": \"is_auto_selected=" + is_auto_selected.decode("utf-8") + "\"}" diff --git a/credential-management/support/fedcm/token_with_http_error.py b/credential-management/support/fedcm/token_with_http_error.py index 05b9945ba80dad..c8d95ab63d7ebd 100644 --- a/credential-management/support/fedcm/token_with_http_error.py +++ b/credential-management/support/fedcm/token_with_http_error.py @@ -7,8 +7,6 @@ def main(request, response): return request_error response.headers.set(b"Content-Type", b"application/json") - response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin")) - response.headers.set(b"Access-Control-Allow-Credentials", "true") response.status = (403, b"Forbidden") return "{\"token\": \"token\"}" diff --git a/credential-management/support/fedcm/token_with_rp_mode.py b/credential-management/support/fedcm/token_with_rp_mode.py index add634c99bb959..515736416f49cb 100644 --- a/credential-management/support/fedcm/token_with_rp_mode.py +++ b/credential-management/support/fedcm/token_with_rp_mode.py @@ -7,8 +7,6 @@ def main(request, response): return request_error response.headers.set(b"Content-Type", b"application/json") - response.headers.set(b"Access-Control-Allow-Origin", request.headers.get(b"Origin")) - response.headers.set(b"Access-Control-Allow-Credentials", "true") rp_mode = request.POST.get(b"mode") return "{\"token\": \"mode=" + rp_mode.decode("utf-8") + "\"}"