Do not limit FIDO/U2F usage based on user agent string #2956

New Issue

Closed

opened 2025-11-02 04:55:15 -06:00 by GiteaMirror · 6 comments

GiteaMirror commented 2025-11-02 04:55:15 -06:00

Owner

Copy Link

Originally created by @jorng on GitHub (Feb 21, 2019).

• Gitea version (or commit ref): 1.7.2
• Git version: 2.17.1
• Operating system: Linux / Ubuntu 18.04
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant

Description

After enabling FIDO / U2F for an account on my Gitea server, I am not able to use U2F on Safari, even with the Safari FIDO U2F extension installed and enabled.

If I change my user agent in the developer settings to include Chrome, it works as expected

• If the extension is installed/enabled, it uses U2F
• If the extension is not installed / disabled, it asks for TOTP

Gitea should not rely on user agent string at all to determine if U2F is available. Checking that window.u2f is non-null should be enough. (for example, it works fine with Github)

Originally created by @jorng on GitHub (Feb 21, 2019). - Gitea version (or commit ref): 1.7.2 - Git version: 2.17.1 - Operating system: Linux / Ubuntu 18.04 - Database (use `[x]`): - [x] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [x] Not relevant ## Description After enabling FIDO / U2F for an account on my Gitea server, I am not able to use U2F on Safari, even with the [Safari FIDO U2F](https://github.com/Safari-FIDO-U2F/Safari-FIDO-U2F) extension installed and enabled. If I change my user agent in the developer settings to include Chrome, it works as expected - If the extension is installed/enabled, it uses U2F - If the extension is not installed / disabled, it asks for TOTP Gitea should not rely on user agent string at all to determine if U2F is available. Checking that `window.u2f` is non-null should be enough. (for example, it works fine with Github)

GiteaMirror added the issue/confirmedtype/enhancement labels 2025-11-02 04:55:15 -06:00

GiteaMirror closed this issue 2025-11-02 04:55:16 -06:00

GiteaMirror commented 2025-11-02 04:55:16 -06:00

Author

Owner

Copy Link

@stale[bot] commented on GitHub (Apr 22, 2019):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

@stale[bot] commented on GitHub (Apr 22, 2019): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

GiteaMirror commented 2025-11-02 04:55:16 -06:00

Author

Owner

Copy Link

@jorng commented on GitHub (Apr 22, 2019):

What? Don't close.

@jorng commented on GitHub (Apr 22, 2019): What? Don't close.

GiteaMirror commented 2025-11-02 04:55:17 -06:00

Author

Owner

Copy Link

@e3b0c442 commented on GitHub (Jun 4, 2019):

Unfortunately the U2F support check is part of the vendored library, and looking at the latest version of that library, it still explicitly locks out Safari.

I see two ways this could be made to happen:

1. Scrap the legacy non-standardized U2F implementations entirely and go straight to standard WebAuthn+CTAP1. The consequences of this are that we end up dropping support for Firefox 47-59, Chrome 41-66, and Opera 42-53 (per caniuse.com). I don't think this will be a huge impact since Firefox 60 ESR has this and the Chromium browsers don't have extended support releases. Chrome<67 accounts for 2.18% of total global browser usage per caniuse.com. This is the forward looking approach, and would be a first step in adopting #6892.

2. Add a short-circuiting check for the window.u2f API before the call to u2fApi.ensureSupport(). This runs the risk of potentially causing issues because window.u2f is not standard. In fact, we cannot fully replace the vendored library call because Chrome itself doesn't provide window.u2f immediately. There is a U2F API library that can be retrieved from Google that implements window.u2f and could potentially replace the existing vendored library, but imho this is wasted effort given the deprecated status of unstandardized (from a web perspective) U2F implementations in favor of WebAuthn.

I'd be willing to take a stab at this if there is some agreement around one or the other option.

@e3b0c442 commented on GitHub (Jun 4, 2019): Unfortunately the U2F support check is part of the vendored library, and looking at the latest version of that library, it still explicitly locks out Safari. I see two ways this could be made to happen: 1) Scrap the legacy non-standardized U2F implementations entirely and go straight to standard WebAuthn+CTAP1. The consequences of this are that we end up dropping support for Firefox 47-59, Chrome 41-66, and Opera 42-53 (per caniuse.com). I don't think this will be a huge impact since Firefox 60 ESR has this and the Chromium browsers don't have extended support releases. Chrome<67 accounts for 2.18% of total global browser usage per caniuse.com. This is the forward looking approach, and would be a first step in adopting #6892. 2) Add a short-circuiting check for the `window.u2f` API before the call to `u2fApi.ensureSupport()`. This runs the risk of potentially causing issues because window.u2f is not standard. In fact, we cannot fully replace the vendored library call because Chrome itself doesn't provide `window.u2f` immediately. There is a U2F API library that can be retrieved from Google that implements `window.u2f` and could potentially replace the existing vendored library, but imho this is wasted effort given the deprecated status of unstandardized (from a web perspective) U2F implementations in favor of WebAuthn. I'd be willing to take a stab at this if there is some agreement around one or the other option.

GiteaMirror commented 2025-11-02 04:55:17 -06:00

Author

Owner

Copy Link

@DerAndereAndi commented on GitHub (Nov 20, 2019):

As Safari 13.0 on macOS now has build in support for U2F and iOS 13.3 betas also including support, it would be great to make this work.

@DerAndereAndi commented on GitHub (Nov 20, 2019): As Safari 13.0 on macOS now has build in support for U2F and iOS 13.3 betas also including support, it would be great to make this work.

GiteaMirror commented 2025-11-02 04:55:17 -06:00

Author

Owner

Copy Link

@e3b0c442 commented on GitHub (Dec 23, 2019):

My work on the WebAuthn conversion PR can be tracked here: #9451

@e3b0c442 commented on GitHub (Dec 23, 2019): My work on the WebAuthn conversion PR can be tracked here: #9451

GiteaMirror commented 2025-11-02 04:55:18 -06:00

Author

Owner

Copy Link

@jorng commented on GitHub (Dec 23, 2019):

I am 💯 in favor of the migration to WebAuthn. I will close this and track that issue.

@jorng commented on GitHub (Dec 23, 2019): I am 💯 in favor of the migration to WebAuthn. I will close this and track that issue.

GiteaMirror referenced this issue 2025-11-02 12:16:16 -06:00

[PR #2956] [MERGED] Fix over-escaped characters #16682

GiteaMirror referenced this issue 2025-11-02 12:16:44 -06:00

[PR #2992] [MERGED] Fix over-escaped characters #16702

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label issue/confirmed type/enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#2956