Merge pull request #336 from Yubico/origin-error-message

Refer to RelyingParty.origins setting in origin mismatch error message

Author: emlun

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishAssertionSteps.java

@@ -400,7 +400,8 @@ public void validate() {
       final String responseOrigin = response.getResponse().getClientData().getOrigin();
       assertTrue(
           OriginMatcher.isAllowed(responseOrigin, origins, allowOriginPort, allowOriginSubdomain),
-          "Incorrect origin: " + responseOrigin);
+          "Incorrect origin, please see the RelyingParty.origins setting: %s",
+          responseOrigin);
     }
 
     @Override

webauthn-server-core/src/main/java/com/yubico/webauthn/FinishRegistrationSteps.java

@@ -215,7 +215,8 @@ public void validate() {
       final String responseOrigin = clientData.getOrigin();
       assertTrue(
           OriginMatcher.isAllowed(responseOrigin, origins, allowOriginPort, allowOriginSubdomain),
-          "Incorrect origin: " + responseOrigin);
+          "Incorrect origin, please see the RelyingParty.origins setting: %s",
+          responseOrigin);
     }
 
     @Override

webauthn-server-core/src/main/java/com/yubico/webauthn/RelyingParty.java

@@ -281,6 +281,11 @@ public class RelyingParty {
    * If <code>true</code>, the origin matching rule is relaxed to allow any subdomain, of any depth,
    * of the values of {@link RelyingPartyBuilder#origins(Set) origins}.
    *
+   * <p>Please see <a
+   * href="https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#sctn-code-injection">Security
+   * Considerations: Code injection attacks</a> for discussion of the risks in setting this to
+   * <code>true</code>.
+   *
    * <p>The default is <code>false</code>.
    *
    * <p>Examples with <code>origins: ["https://example.org", "https://acme.com:8443"]</code>
@@ -315,6 +320,9 @@ public class RelyingParty {
    *         <li><code>https://acme.com</code>
    *       </ul>
    * </ul>
+   *
+   * @see <a href="https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#sctn-code-injection">§13.4.8.
+   *     Code injection attacks</a>
    */
   @Builder.Default private final boolean allowOriginSubdomain = false;