Re-enable FIDO U2F in Chromium 98 + - chromium

In recent versions of Chromium (98+), my Yubikey is broken / no longer working to authenticate / register with websites using the FIDO2 U2F standard.
For example this demo site: https://u2f.cloudentify.com/u2fdemo/
Simply nothing happens and this is written to the console:
Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('chrome-extension://kmendfapggjehodndflmmgagdbamhnfd') does not match the recipient window's origin ('null').
How can I get this working again?

It turns out that the way U2F was implemented in Chromium was a bit of a hack and has been deprecated since Chrome 95. Here is the Yubikey page. It should have been a smooth transition to WebAuthn, but this is not true for all websites.
How to re-enable U2F API:
Go to this url: chrome://flags/#u2f-security-key-api
Locate "Enable the U2F Security Key API"
Change the dropdown from "Default" to "Enabled".
Restart the browser.

Related

How to handle the alert of FIDO authentication in selenium?

As title, there would be a alert "verify your identity with webauthn.io" poped when I regisetered a user through FIDO. The alert might have some options. My target is to write a script that can automatically sign in a website by selenium, but I have no idea how to handle this alert in selenium.
Is there any way to handle this alert?
the alert be like
For testing purposes you could use a virtual authenticator. Chromium based browsers have the option to emulate WebAuthn/FIDO2 authenticators - https://developer.chrome.com/docs/devtools/webauthn/
I've found when the virtual authenticator is enabled, it'll "bypass" the menu in your image above. The WebAuthn ceremony is still completed, the menu just immediately utilizes the virtual authenticator when enabled. The same will be true for authentication
Some considerations
This is not an option in all browsers (notably Firefox and Safari)
For application testing I highly recommend that you still perform a round of manual testing utilizing a real authenticator (YubiKey, Face ID, Windows Hello, etc..)
Hope this helps

Can't Enable Email/Password Sign in method in Firebase Authentication

I tried to enable Email/Password sign in method in Firebase Auth. When I click on the save button it gives error "Error updating Email/Password".
Please look at this image:
I already added Firebase to my Android app.
This problem usually happens if you are using an Antivirus, VPN, or proxy as this might block your connection so I recommend disabling them all.
Try to disable all your browser extensions as they might also block your connection.
If all the above steps did not work, try using a different browser preferably Google Chrome with an incognito window as Frank van Puffelen mentioned in the comments.

Leaflet.js - can't get my current location on some browsers

I have made this application using Leaflet.js with these plugins: MarkerCluster, Leaflet Map Fullscreen, it's hosted in a Linux server, HTTP apache2.
For some reason, I can't get my current location on the following browsers:
Mozilla Firefox (latest version)
Google Chrome (latest version)
Microsoft Edge
In IE, it gives me the popup to give permission to locate myself, and it works... only once. If I try to locate myself again it behaves like the other browsers above.
And, if I open the link in Instagram dm's it works just fine...
It works also in localhost or if I use location guard browser extension to make my location a fixed point.
What's causing this issue? Is it because it isn't https?
You will have to switch to https if you want to support geolocation on most if not all modern browsers.
For Chrome
Starting with Chrome 50, Chrome no longer supports obtaining the
user's location using the HTML5 Geolocation API from pages delivered
by non-secure connections. This means that the page that's making the
Geolocation API call must be served from a secure context such as
HTTPS.
For Firefox
This feature is available only in secure contexts (HTTPS) [...]
And according to the nice support grid on MDN, Opera and Safari should also require https to enable geolocation.

Windows Authentication not prompting on Firefox or iOS Safari

I have two WCF WebHttpBinding-bound self-hosted services. One is set to WebHttpSecurityMode.TransportCredentialOnly and HttpClientCredentialType.Windows. The other is set to None and None.
This service is serving the exactly the intended authentication prompt behavior on Chrome and IE, with correct content types and content. Testing on localhost and remotely (not on a domain). In IE, the default settings for integrated authentication send my credentials immediately to the authenticated service. In Chrome, the default settings prompt me for my windows authentication credentials.
But in Firefox I get no such prompt - just an error in Firebug of 401 Unauthorized and a blank page otherwise. I assume iOS has the same 401 Unauthorized problem, although the debugger console doesn't show any errors - I just get a blank page.
I don't know how relevant the WCF WebHttpBinding is versus a standard IIS-hosted website, but all the other googles I find are about someone trying to STOP the Windows Auth prompt in favor of Integrated Security mode in non-IE browsers. I kind of have the opposite problem - it's not showing up for me.
Is there something nuanced about the webservice response that Firefox and Safari are sensitive to that Chrome and IE are not sensitive to?
I'm testing on Windows 8 with IE 10 and the latest releases of the other browsers at the time of writing.
Thanks!
If I set it to HttpClientCredentialType.NTLM then all browsers work. But as I understand it, NTLM disallows the more secure Kerberos domain credentials (if they're available). I don't want to force a less-secure option!
Kerberos works well with IE and since Chrome shares stuff with IE, it works for Chrome too. For Firefox, you have to enable it. See here. Safari on Mac OS should work but not sure about other OS'.

Facebook Connect button not showing up in Safari/Chrome

My implementation of Facebook Connect (just a simple login button, fb:login-button) works perfectly on Firefox and IE.
But the same button is not showing up in Safari/Chrome (Webkit).
Here's what's ironic. In my debugging effort, I saved the page (that contains fb:login-button) up as a static page and then load it in Safari. And the button shows up, everything works!
The exact same page (with the exact same HTML source) rendered by my PHP has no way for bringing up the button.
I'm trying hard to support Webkit here but I'm close to giving up. Can anybody help?
I found one more way this can occur (the blame-myself-for-being-stupid way); it's probably not common, but in the event is saves anyone else the hassle, here it is:
This symptom can also be caused by various security tools blocking facebook resources.
In my case, I'd installed Facebook Disconnect ages ago in Chrome as a plugin and forgotten all about it being installed. I also had a second installation of Chrome that was seemingly identical (but did not have Facebook Disconnect). The first would properly load the fb:login-button, and the other would not; took me ages before I looked at the plugins, because Facebook Disconnect didn't have an icon and so its presence was pretty easy for me to miss.
Here's what you'll see if some sort of security plugin is preventing facebook resources from loading. Just look at the html that renders in the browser using developer tools.
In a normal chrome session you'll end up with something like this:
<fb:login-button><a class="fb_button fb_button_medium"><span class="fb_button_text">Your text here</span></a></fb:login-button>
But in the version with facebook's resources disabled you'll end up with this:
<fb:login-button>Your text here</fb:login-button>
Like I said, pretty obvious in retrospect.
Had the same problem but it was not related to anything like a plugin or malformed content. It seems if you enable country filtering on your facebook page it has an issue with the like button, this should be fairly obvious. Facebook gets your location from your profile and not your IP address.
Make sure to disable country locking if you plan on using the social plugins.
This can be due to having ClickToFlash installed. Either disable it, or check "Automatically load invisible Flash views" in the ClickToFlash settings.
What we found out is that Safari (and maybe some older versions of Chrome or other WebKIT browsers) have a problem with Facebook's code using the innerHTML JS function if your page arrives with an XHTML response header (application/xhtml+xml).
Using text/html solves the issue.
In case of JSF2, which we use, the implementing the fix was as simple as wrapping the FB button like this:
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
xmlns:fb="http://www.facebook.com/2008/fbml"
xmlns:f="http://java.sun.com/jsf/core">
...
<f:view contentType="text/html">
<fb:login-button>Login using Facebook</fb:login-button>
</f:view>
Facebook bug report here:
http://bugs.developers.facebook.net/show_bug.cgi?id=5545
I had this problem with the Facebook button not showing at all and it took me forever to figure out what it was. Luckily after days of hair pulling I will now share the answer with everyone. In my situation I simply didn't have xfbml enabled. In my FB.init I had it set to false:
FB.init({
appId : 'app_id', // App ID
status : true, // check login status
cookie : true, // enable cookies to allow the server to access the session
xfbml : false, // parse XFBML
oauth : true // enable OAuth 2.0
});
I changed this to "true" (xfbml) and the login buttons works great now! :P Good luck!
This happened when I had the wrong domain in callback_url in config/facebooker.yml. Apparently it uses that to load the js files.
I had the same problem but I resolved it by making sure the URL in my app settings was exactly the same as the one for my site (i.e. it didn't work when I accessed my site without the www.).
I have tried every suggested solution here and it didn't work for me. But now I finally found the solution.
Facebook requires now a secured (https) for Canvas (Secure Canvas URL). The unsecured one will be deprecated soon.
Here is the main difference, Chrome doesn't like https connections with invalid certifications. On a localhost, it is very likely you have stunnel installed to allow https connection for the localhost. Firefox is ok with the self created SSL certificate and allows you to add an exception when trying to access that site. Chrome doesn't allow it out of the box.
When I load my app in Chrome the page is blank and I dont see any login button.
Click F12 and click the Netwrok tab in Chrome:
You see that the post request to your localhost is cancelled. DOUBLE Click on it.
Now you would see that chrome is blocking the localhost because of the certificate:
click on proceed anyway.
Now to back to your other tab and reload the page:
Chrome works now like Firefox and shows the login button.