Schema verification should be allowed HTTP for localhost

[albanx]

While testing in localhost the Verification of the response fails because it sends http://localhost to the server.

I think the following check should allow HTTP for localhost dev envs:

webauthn-framework/src/webauthn/src/CeremonyStep/CheckOrigin.php

Line 46 in 56520b7

$scheme === 'https' || throw AuthenticatorResponseVerificationException::create(

[Spomky]

As per the specification, Webauthn only works with secure connections, so HTTP is not allowed.

[albanx]

Localhost is allowed it works when I remove that condition

…

On Mon, 28 Oct 2024, 06:30 Florent Morselli, ***@***.***> wrote: As per the specification, Webauthn only works with secure connections, so HTTP is not allowed. — Reply to this email directly, view it on GitHub <#656 (comment)> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAIUBKAVGFUL73HBKHC32O3Z5XKXNBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVEYTKOBXGQZTMMBYQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRSGYYTMOJZGYYDSONHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you authored the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

[albanx]

Also if the specification forbids localhost, then that should be handle directly by the WebAuthN API of the browser, I believe an extra check might not be necessary

[Spomky]

Hi,

I read w3c/webauthn#2018 and w3c/webauthn#2019. I will create a PR for this specific use case.

Regards.