Skip to content

Fix _checkOrigin() to require domain boundary check#123

Open
ScottHelme wants to merge 1 commit intolbuchs:masterfrom
ScottHelme:fix-origin-domain-boundary
Open

Fix _checkOrigin() to require domain boundary check#123
ScottHelme wants to merge 1 commit intolbuchs:masterfrom
ScottHelme:fix-origin-domain-boundary

Conversation

@ScottHelme
Copy link
Copy Markdown

@ScottHelme ScottHelme commented Mar 27, 2026

Summary

Fixes _checkOrigin() to enforce a domain boundary when validating the origin against the RP ID, as required by the W3C WebAuthn Level 2 spec (§7.1 Step 5 / §7.2 Step 9).

Problem

The existing regex preg_match('/' . preg_quote($rpId) . '$/i', $host) matches any hostname ending with the RP ID string. For RP ID example.com, lookalike domains like evil-example.com and evilexample.com incorrectly pass validation.

Fix

Replace the suffix regex with an exact match check (strcasecmp) and a dot-boundary subdomain check (str_ends_with with a . prefix). This accepts example.com and www.example.com while rejecting evil-example.com and evilexample.com.

Closes #122

@ScottHelme
Fix _checkOrigin() to require domain boundary check
3ee8819 
The suffix regex accepted lookalike domains (e.g. evil-example.com for
RP ID example.com). Replace with exact match or dot-boundary subdomain
check per W3C WebAuthn Level 2 spec §7.1 Step 5 / §7.2 Step 9.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

_checkOrigin() accepts lookalike domains due to missing domain boundary check

1 participant

@ScottHelme