Reject cross-origin requests in processCreate and processGet

src/WebAuthn.php

@@ -357,6 +357,11 @@ public function processCreate($clientDataJSON, $attestationObject, $challenge, $
             throw new WebAuthnException('invalid origin', WebAuthnException::INVALID_ORIGIN);
         }
 
+        // Reject cross-origin requests (proposed Level 3 spec §7.1 Step 10).
+        if (\property_exists($clientData, 'crossOrigin') && $clientData->crossOrigin === true) {
+            throw new WebAuthnException('cross-origin request not allowed', WebAuthnException::INVALID_ORIGIN);
+        }
+
         // Attestation
         $attestationObject = new Attestation\AttestationObject($attestationObject, $this->_formats);
 
@@ -475,6 +480,11 @@ public function processGet($clientDataJSON, $authenticatorData, $signature, $cre
             throw new WebAuthnException('invalid origin', WebAuthnException::INVALID_ORIGIN);
         }
 
+        // Reject cross-origin requests (proposed Level 3 spec §7.2 Step 13).
+        if (\property_exists($clientData, 'crossOrigin') && $clientData->crossOrigin === true) {
+            throw new WebAuthnException('cross-origin request not allowed', WebAuthnException::INVALID_ORIGIN);
+        }
+
         // 11. Verify that the rpIdHash in authData is the SHA-256 hash of the RP ID expected by the Relying Party.
         if ($authenticatorObj->getRpIdHash() !== $this->_rpIdHash) {
             throw new WebAuthnException('invalid rpId hash', WebAuthnException::INVALID_RELYING_PARTY);