Skip to content

Add support for FedCM, Passkey, and WebAuthn well-known files #158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tunetheweb merged 24 commits into from
Feb 11, 2025
Merged

Add support for FedCM, Passkey, and WebAuthn well-known files #158

tunetheweb merged 24 commits into from
Feb 11, 2025

Conversation

@tsunoyu
Copy link
Contributor

@tsunoyu tsunoyu commented Feb 4, 2025
edited by max-ostapenko
Loading

Description

This PR adds support for tracking and analyzing the following well-known files:

  1. FedCM: /.well-known/web-identity
  2. Passkey: /.well-known/passkey-endpoints
  3. WebAuthn: /.well-known/webauthn

These files are critical for enabling Federated Credential Management (FedCM), passkey upgrades, and WebAuthn-related origin requests. The changes ensure that these files are fetched, parsed, and included in the HTTP Archive's custom metrics.

Changes

  1. Added a new parseResponse call for /.well-known/web-identity to track FedCM configurations.
  2. Added a new parseResponse call for /.well-known/passkey-endpoints to track passkey enrollment and management URLs.
  3. Added a new parseResponse call for /.well-known/webauthn to track WebAuthn-related origin requests.

Example Output

FedCM (/.well-known/web-identity)

{
  "/.well-known/web-identity": {
    "found": true,
    "data": {
      "provider_urls": ["https://accounts.idp.example/config.json"],
      "accounts_endpoint": "https://accounts.idp.example/accounts",
      "login_url": "https://accounts.idp.example/login"
    }
  }
}

{
  "/.well-known/passkey-endpoints": {
    "found": true,
    "data": {
      "enroll": "https://passkeys-demo.appspot.com/home",
      "manage": "https://passkeys-demo.appspot.com/home"
    }
  }
}

{
  "/.well-known/webauthn": {
    "found": true,
    "data": {
      "origins": ["https://example.com"]
    }
  }
}

Test websites:

tunetheweb
tunetheweb requested changes Feb 4, 2025
View reviewed changes
max-ostapenko
max-ostapenko requested changes Feb 5, 2025
View reviewed changes
max-ostapenko
max-ostapenko requested changes Feb 5, 2025
View reviewed changes
tsunoyu
tsunoyu commented Feb 6, 2025
View reviewed changes
@max-ostapenko
Copy link
Contributor

max-ostapenko commented Feb 7, 2025
edited
Loading

Added a WebAuthn example (https://ror-1.glitch.me/) from https://web.dev/articles/webauthn-related-origin-requests

UPD. + https://www.google.com/.well-known/web-identity

@tsunoyu
Copy link
Contributor Author

tsunoyu commented Feb 7, 2025
edited
Loading

Added a WebAuthn example (https://ror-1.glitch.me/) from https://web.dev/articles/webauthn-related-origin-requests

UPD. + https://www.google.com/.well-known/web-identity

@max-ostapenko Thank you for adding this. Very helpful to run the test.

@tsunoyu tsunoyu closed this Feb 7, 2025
@tsunoyu tsunoyu reopened this Feb 7, 2025
@github-actions
Copy link

github-actions bot commented Feb 7, 2025

https://almanac.httparchive.org/en/2022/

WPT result details

Changed custom metrics values:

{
  "_well-known": {
    "/.well-known/assetlinks.json": {
      "found": false
    },
    "/.well-known/apple-app-site-association": {
      "found": false
    },
    "/.well-known/related-website-set.json": {
      "found": false
    },
    "/.well-known/privacy-sandbox-attestations.json": {
      "found": false
    },
    "/.well-known/gpc.json": {
      "found": false
    },
    "/.well-known/web-identity": {
      "found": false
    },
    "/.well-known/passkey-endpoints": {
      "found": false
    },
    "/.well-known/webauthn": {
      "found": false
    },
    "/robots.txt": {
      "found": true,
      "data": {
        "matched_disallows": {}
      }
    },
    "/.well-known/security.txt": {
      "found": false,
      "data": {
        "status": 404,
        "redirected": true,
        "url": "https://almanac.httparchive.org/.well-known/security.txt/",
        "content_type": "text/html; charset=utf-8"
      }
    },
    "/.well-known/change-password": {
      "found": false,
      "data": {
        "status": 404,
        "redirected": true,
        "url": "https://almanac.httparchive.org/.well-known/change-password/"
      }
    },
    "/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200/": {
      "found": false,
      "data": {
        "status": 404,
        "redirected": false,
        "url": "https://almanac.httparchive.org/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200/"
      }
    }
  }
}
https://www.ebay.com

WPT result details

Changed custom metrics values:

{
  "_well-known": {
    "/.well-known/assetlinks.json": {
      "found": true,
      "data": {
        "deep_linking": true,
        "credential_sharing": true
      }
    },
    "/.well-known/apple-app-site-association": {
      "found": true
    },
    "/.well-known/related-website-set.json": {
      "error": "Failed to fetch"
    },
    "/.well-known/privacy-sandbox-attestations.json": {
      "error": "Failed to fetch"
    },
    "/.well-known/gpc.json": {
      "error": "Failed to fetch"
    },
    "/.well-known/web-identity": {
      "error": "Failed to fetch"
    },
    "/.well-known/passkey-endpoints": {
      "found": true,
      "data": {
        "enroll": "https://accounts.ebay.com/acctsec/manage/passkeys/create",
        "manage": "https://accounts.ebay.com/acctsec/security-center"
      }
    },
    "/.well-known/webauthn": {
      "error": "Failed to fetch"
    },
    "/robots.txt": {
      "found": true,
      "data": {
        "matched_disallows": {
          "*": [
            "/signin/"
          ],
          "bingbot": [
            "/signin/"
          ]
        }
      }
    },
    "/.well-known/security.txt": {
      "error": "Failed to fetch"
    },
    "/.well-known/change-password": {
      "error": "Failed to fetch"
    },
    "/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200/": {
      "error": "Failed to fetch"
    }
  }
}
https://www.amazon.co.uk

WPT result details

Changed custom metrics values:

{
  "_well-known": {
    "/.well-known/assetlinks.json": {
      "found": true,
      "data": {
        "deep_linking": true,
        "credential_sharing": false
      }
    },
    "/.well-known/apple-app-site-association": {
      "found": true
    },
    "/.well-known/related-website-set.json": {
      "found": false
    },
    "/.well-known/privacy-sandbox-attestations.json": {
      "found": false
    },
    "/.well-known/gpc.json": {
      "found": false
    },
    "/.well-known/web-identity": {
      "found": false
    },
    "/.well-known/passkey-endpoints": {
      "found": false
    },
    "/.well-known/webauthn": {
      "found": false
    },
    "/robots.txt": {
      "found": true,
      "data": {
        "matched_disallows": {
          "*": [
            "/exec/obidos/account-access-login",
            "/exec/obidos/dt/assoc/handle-buy-box",
            "/exec/obidos/flex-sign-in",
            "/exec/obidos/refer-a-friend-login",
            "/exec/obidos/subst/associates/join",
            "/gp/sign-in",
            "/ap/signin",
            "/gp/video/auth"
          ]
        }
      }
    },
    "/.well-known/security.txt": {
      "found": true,
      "data": {
        "status": 200,
        "redirected": false,
        "url": "https://www.amazon.co.uk/.well-known/security.txt",
        "content_type": "text/plain",
        "signed": false,
        "contact": [
          "https://hackerone.com/amazonvrp/reports/new"
        ],
        "policy": [
          "https://hackerone.com/amazonvrp"
        ],
        "hiring": [
          "https://www.amazon.jobs/en/teams/infosec"
        ],
        "all_required_exist": false,
        "only_one_requirement_broken": false,
        "valid": false
      }
    },
    "/.well-known/change-password": {
      "found": false,
      "data": {
        "status": 404,
        "redirected": false,
        "url": "https://www.amazon.co.uk/.well-known/change-password"
      }
    },
    "/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200/": {
      "found": false,
      "data": {
        "status": 404,
        "redirected": false,
        "url": "https://www.amazon.co.uk/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200/"
      }
    }
  }
}
https://tv.apple.com

WPT result details

Changed custom metrics values:

{
  "_well-known": {
    "/.well-known/assetlinks.json": {
      "found": true,
      "data": {
        "deep_linking": true,
        "credential_sharing": false
      }
    },
    "/.well-known/apple-app-site-association": {
      "found": true
    },
    "/.well-known/related-website-set.json": {
      "found": true
    },
    "/.well-known/privacy-sandbox-attestations.json": {
      "found": true
    },
    "/.well-known/gpc.json": {
      "error": "Unexpected token '<', \"<!DOCTYPE \"... is not valid JSON"
    },
    "/.well-known/web-identity": {
      "found": true,
      "data": {
        "provider_urls": [],
        "accounts_endpoint": null,
        "login_url": null
      }
    },
    "/.well-known/passkey-endpoints": {
      "found": true,
      "data": {
        "enroll": null,
        "manage": null
      }
    },
    "/.well-known/webauthn": {
      "found": true,
      "data": {
        "origins": []
      }
    },
    "/robots.txt": {
      "found": true,
      "data": {
        "matched_disallows": {}
      }
    },
    "/.well-known/security.txt": {
      "found": true,
      "data": {
        "status": 200,
        "redirected": false,
        "url": "https://tv.apple.com/.well-known/security.txt",
        "content_type": "text/html",
        "signed": false,
        "other": [
          [
            "overflow",
            "hidden;"
          ],
          [
            "position",
            "fixed;"
          ],
          [
            "top",
            "0;"
          ],
          [
            "right",
            "0;"
          ],
          [
            "bottom",
            "0;"
          ],
          [
            "left",
            "0;"
          ],
          [
            "animation",
            "spinner 0s 2s forwards;"
          ],
          [
            "visibility",
            "hidden;"
          ],
          [
            "visibility",
            "visible;"
          ],
          [
            "\"@context\"",
            "\"https://schema.org\","
          ],
          [
            "\"@id\"",
            "\"https://tv.apple.com/#organization\","
          ],
          [
            "\"@type\"",
            "\"Organization\","
          ],
          [
            "\"name\"",
            "\"Apple TV\","
          ],
          [
            "\"url\"",
            "\"https://tv.apple.com\","
          ],
          [
            "\"logo\"",
            "\"https://tv.apple.com/assets/knowledge-graph/tv.png\","
          ],
          [
            "\"sameAs\"",
            "["
          ],
          [
            "\"parentOrganization\"",
            "{"
          ],
          [
            "\"@type\"",
            "\"Organization\","
          ],
          [
            "\"name\"",
            "\"Apple\","
          ],
          [
            "\"@id\"",
            "\"https://www.apple.com/#organization\","
          ],
          [
            "\"url\"",
            "\"https://www.apple.com/\""
          ]
        ],
        "all_required_exist": false,
        "only_one_requirement_broken": false,
        "valid": false
      }
    },
    "/.well-known/change-password": {
      "found": true,
      "data": {
        "status": 200,
        "redirected": false,
        "url": "https://tv.apple.com/.well-known/change-password"
      }
    },
    "/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200/": {
      "found": true,
      "data": {
        "status": 200,
        "redirected": false,
        "url": "https://tv.apple.com/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200/"
      }
    }
  }
}
https://ror-1.glitch.me

WPT result details

Changed custom metrics values:

{
  "_well-known": {
    "/.well-known/assetlinks.json": {
      "found": true,
      "data": {
        "deep_linking": true,
        "credential_sharing": true
      }
    },
    "/.well-known/apple-app-site-association": {
      "found": false
    },
    "/.well-known/related-website-set.json": {
      "found": false
    },
    "/.well-known/privacy-sandbox-attestations.json": {
      "found": false
    },
    "/.well-known/gpc.json": {
      "found": false
    },
    "/.well-known/web-identity": {
      "found": false
    },
    "/.well-known/passkey-endpoints": {
      "found": false
    },
    "/.well-known/webauthn": {
      "found": true,
      "data": {
        "origins": [
          "https://ror-2.glitch.me"
        ]
      }
    },
    "/robots.txt": {
      "found": false
    },
    "/.well-known/security.txt": {
      "found": false,
      "data": {
        "status": 404,
        "redirected": false,
        "url": "https://ror-1.glitch.me/.well-known/security.txt",
        "content_type": "text/html; charset=utf-8"
      }
    },
    "/.well-known/change-password": {
      "found": false,
      "data": {
        "status": 404,
        "redirected": false,
        "url": "https://ror-1.glitch.me/.well-known/change-password"
      }
    },
    "/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200/": {
      "found": false,
      "data": {
        "status": 404,
        "redirected": false,
        "url": "https://ror-1.glitch.me/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200/"
      }
    }
  }
}
https://www.google.com

WPT result details

Changed custom metrics values:

{
  "_well-known": {
    "/.well-known/assetlinks.json": {
      "found": true,
      "data": {
        "deep_linking": true,
        "credential_sharing": true
      }
    },
    "/.well-known/apple-app-site-association": {
      "found": false
    },
    "/.well-known/related-website-set.json": {
      "found": false
    },
    "/.well-known/privacy-sandbox-attestations.json": {
      "found": false
    },
    "/.well-known/gpc.json": {
      "found": false
    },
    "/.well-known/web-identity": {
      "found": true,
      "data": {
        "provider_urls": [
          "https://accounts.google.com/gsi/fedcm.json"
        ],
        "accounts_endpoint": "https://accounts.google.com/gsi/fedcm/listaccounts",
        "login_url": "https://accounts.google.com/gsi/fedcm/signin"
      }
    },
    "/.well-known/passkey-endpoints": {
      "found": false
    },
    "/.well-known/webauthn": {
      "found": false
    },
    "/robots.txt": {
      "found": true,
      "data": {
        "matched_disallows": {
          "*": [
            "/accounts/ClientLogin",
            "/accounts/ClientAuth",
            "/accounts/o8",
            "/shopping/ratings/account/metrics",
            "/nonprofits/account/"
          ]
        }
      }
    },
    "/.well-known/security.txt": {
      "found": true,
      "data": {
        "status": 200,
        "redirected": false,
        "url": "https://www.google.com/.well-known/security.txt",
        "content_type": "text/plain",
        "signed": false,
        "contact": [
          "https://g.co/vulnz",
          "mailto:[email protected]"
        ],
        "expires": [
          "2025-04-01T00:00:00z"
        ],
        "encryption": [
          "https://services.google.com/corporate/publickey.txt"
        ],
        "acknowledgments": [
          "https://bughunters.google.com/"
        ],
        "policy": [
          "https://g.co/vrp"
        ],
        "hiring": [
          "https://g.co/SecurityPrivacyEngJobs"
        ],
        "all_required_exist": true,
        "only_one_requirement_broken": false,
        "valid": true
      }
    },
    "/.well-known/change-password": {
      "found": false,
      "data": {
        "status": 404,
        "redirected": false,
        "url": "https://www.google.com/.well-known/change-password"
      }
    },
    "/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200/": {
      "found": false,
      "data": {
        "status": 404,
        "redirected": false,
        "url": "https://www.google.com/.well-known/resource-that-should-not-exist-whose-status-code-should-not-be-200/"
      }
    }
  }
}

@tunetheweb tunetheweb merged commit c57d482 into HTTPArchive:main Feb 11, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@max-ostapenko max-ostapenko max-ostapenko approved these changes

@tunetheweb tunetheweb tunetheweb approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tsunoyu @max-ostapenko @tunetheweb