From 3305df3388b4470523b6da2721c7a3ce5acddbfa Mon Sep 17 00:00:00 2001
From: Colin <cbe@matterlabs.dev>
Date: Mon, 25 Nov 2024 22:14:39 -0800
Subject: [PATCH] fix: add cross-origin check

We don't want to allow cross-origin requests
---
 src/validators/WebAuthValidator.sol | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/validators/WebAuthValidator.sol b/src/validators/WebAuthValidator.sol
index 883ceb5f..65d48e3a 100644
--- a/src/validators/WebAuthValidator.sol
+++ b/src/validators/WebAuthValidator.sol
@@ -57,6 +57,7 @@ contract WebAuthValidator is PasskeyValidator, IModuleValidator {
     bool validChallenge = false;
     bool validType = false;
     bool validOrigin = false;
+    bool invalidCrossOrigin = false;
     for (uint256 index = 1; index < actualNum; index++) {
       JsmnSolLib.Token memory t = tokens[index];
       if (t.jsmnType == JsmnSolLib.JsmnType.STRING) {
@@ -97,12 +98,19 @@ contract WebAuthValidator is PasskeyValidator, IModuleValidator {
 
           // This really only validates the origin is set
           validOrigin = pubKey[0] != 0 && pubKey[1] != 0;
+        } else if (Strings.equal(keyOrValue, "crossOrigin")) {
+          JsmnSolLib.Token memory nextT = tokens[index + 1];
+          string memory crossOriginValue = JsmnSolLib.getBytes(clientDataJSON, nextT.start, nextT.end);
+          // this should only be set once, otherwise this is an error
+          if (!invalidCrossOrigin) {
+            return false;
+          }
+          invalidCrossOrigin = Strings.equal("true", typeValue);
         }
-        // TODO: check 'cross-origin' keys as part of signature
       }
     }
 
-    if (!validChallenge || !validType) {
+    if (!validChallenge || !validType || !validOrigin || invalidCrossOrigin) {
       return false;
     }