You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In order to provide a more efficient onchain webauthn credential verification implementation, we do not implement / leverage a generalized json unmarshaller. Instead, the client should provide "hints" that the contract can use to parse the payload. These hints consist of word + byte offsets in the client data json payload which the implementation then uses to naively verify the payload.
Given the constraints on the payloads content, I believe this is secure. However, further research + validation is necessary to ensure a nested json blob with malicious inputs can't be embedded in the client json payload.
The text was updated successfully, but these errors were encountered:
In order to provide a more efficient onchain webauthn credential verification implementation, we do not implement / leverage a generalized json unmarshaller. Instead, the client should provide "hints" that the contract can use to parse the payload. These hints consist of word + byte offsets in the client data json payload which the implementation then uses to naively verify the payload.
Given the constraints on the payloads content, I believe this is secure. However, further research + validation is necessary to ensure a nested json blob with malicious inputs can't be embedded in the client json payload.
The text was updated successfully, but these errors were encountered: