Add support for Related Origin Requests with passkeys

Author: varjolintu

src/browser/BrowserAction.cpp

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2024 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2026 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -546,8 +546,11 @@ QJsonObject BrowserAction::handlePasskeysGet(const QJsonObject& json, const QStr
         return getErrorReply(action, ERROR_PASSKEYS_INVALID_URL_PROVIDED);
     }
 
+    const auto relatedOrigins =
+        browserMessageBuilder()->getStringListFromJsonArray(browserRequest.getArray("relatedOrigins"));
     const auto keyList = getConnectionKeys(browserRequest);
-    const auto response = browserService()->showPasskeysAuthenticationPrompt(publicKey, origin, keyList);
+    const auto response =
+        browserService()->showPasskeysAuthenticationPrompt(publicKey, origin, relatedOrigins, keyList);
 
     const Parameters params{{"response", response}};
     return buildResponse(action, browserRequest.incrementedNonce, params);
@@ -580,8 +583,11 @@ QJsonObject BrowserAction::handlePasskeysRegister(const QJsonObject& json, const
     }
 
     const auto groupName = browserRequest.getString("groupName");
+    const auto relatedOrigins =
+        browserMessageBuilder()->getStringListFromJsonArray(browserRequest.getArray("relatedOrigins"));
     const auto keyList = getConnectionKeys(browserRequest);
-    const auto response = browserService()->showPasskeysRegisterPrompt(publicKey, origin, groupName, keyList);
+    const auto response =
+        browserService()->showPasskeysRegisterPrompt(publicKey, origin, relatedOrigins, groupName, keyList);
 
     const Parameters params{{"response", response}};
     return buildResponse(action, browserRequest.incrementedNonce, params);

src/browser/BrowserMessageBuilder.cpp

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2023 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2026 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -370,3 +370,15 @@ QString BrowserMessageBuilder::getSha256HashAsBase64(const QString& str) const
 {
     return getBase64FromArray(QCryptographicHash::hash(str.toUtf8(), QCryptographicHash::Sha256));
 }
+
+QStringList BrowserMessageBuilder::getStringListFromJsonArray(const QJsonArray& jsonArray) const
+{
+    QStringList stringList;
+    for (const auto& item : jsonArray) {
+        if (item.isString()) {
+            stringList << item.toString();
+        }
+    }
+
+    return stringList;
+}

src/browser/BrowserMessageBuilder.h

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2024 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2026 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -106,6 +106,7 @@ class BrowserMessageBuilder
     QByteArray getArrayFromBase64(const QString& base64str) const;
     QByteArray getSha256Hash(const QString& str) const;
     QString getSha256HashAsBase64(const QString& str) const;
+    QStringList getStringListFromJsonArray(const QJsonArray& jsonArray) const;
 
 private:
     Q_DISABLE_COPY(BrowserMessageBuilder);

src/browser/BrowserPasskeysClient.cpp

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2024 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2026 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -33,6 +33,7 @@ BrowserPasskeysClient* BrowserPasskeysClient::instance()
 // https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#createCredential
 int BrowserPasskeysClient::getCredentialCreationOptions(const QJsonObject& publicKeyOptions,
                                                         const QString& origin,
+                                                        const QStringList& relatedOrigins,
                                                         QJsonObject* result) const
 {
     if (!result || publicKeyOptions.isEmpty()) {
@@ -41,23 +42,26 @@ int BrowserPasskeysClient::getCredentialCreationOptions(const QJsonObject& publi
 
     // Check validity of some basic values
     const auto checkResultError = passkeyUtils()->checkLimits(publicKeyOptions);
-    if (checkResultError > 0) {
+    if (checkResultError != PASSKEYS_SUCCESS) {
         return checkResultError;
     }
 
     // Get effective domain
     QString effectiveDomain;
     const auto effectiveDomainResponse = passkeyUtils()->getEffectiveDomain(origin, &effectiveDomain);
-    if (effectiveDomainResponse > 0) {
+    if (effectiveDomainResponse != PASSKEYS_SUCCESS) {
         return effectiveDomainResponse;
     }
 
     // Validate RP ID
     QString rpId;
     const auto rpName = publicKeyOptions["rp"]["name"].toString();
     const auto rpIdResponse = passkeyUtils()->validateRpId(publicKeyOptions["rp"]["id"], effectiveDomain, &rpId);
-    if (rpIdResponse > 0) {
-        return rpIdResponse;
+    if (rpIdResponse != PASSKEYS_SUCCESS) {
+        // Validate Related Origin Requests if found
+        if (relatedOrigins.isEmpty() || !passkeyUtils()->validateRelatedOrigins(relatedOrigins, origin)) {
+            return rpIdResponse;
+        }
     }
 
     // Check PublicKeyCredentialTypes
@@ -126,6 +130,7 @@ int BrowserPasskeysClient::getCredentialCreationOptions(const QJsonObject& publi
 // https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#getAssertion
 int BrowserPasskeysClient::getAssertionOptions(const QJsonObject& publicKeyOptions,
                                                const QString& origin,
+                                               const QStringList& relatedOrigins,
                                                QJsonObject* result) const
 {
     if (!result || publicKeyOptions.isEmpty()) {
@@ -135,15 +140,18 @@ int BrowserPasskeysClient::getAssertionOptions(const QJsonObject& publicKeyOptio
     // Get effective domain
     QString effectiveDomain;
     const auto effectiveDomainResponse = passkeyUtils()->getEffectiveDomain(origin, &effectiveDomain);
-    if (effectiveDomainResponse > 0) {
+    if (effectiveDomainResponse != PASSKEYS_SUCCESS) {
         return effectiveDomainResponse;
     }
 
     // Validate RP ID
     QString rpId;
     const auto rpIdResponse = passkeyUtils()->validateRpId(publicKeyOptions["rpId"], effectiveDomain, &rpId);
-    if (rpIdResponse > 0) {
-        return rpIdResponse;
+    if (rpIdResponse != PASSKEYS_SUCCESS) {
+        // Validate Related Origin Requests if found
+        if (relatedOrigins.isEmpty() || !passkeyUtils()->validateRelatedOrigins(relatedOrigins, origin)) {
+            return rpIdResponse;
+        }
     }
 
     // Extensions

src/browser/BrowserPasskeysClient.h

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2024 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2026 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -31,9 +31,14 @@ class BrowserPasskeysClient : public QObject
     ~BrowserPasskeysClient() = default;
     static BrowserPasskeysClient* instance();
 
-    int
-    getCredentialCreationOptions(const QJsonObject& publicKeyOptions, const QString& origin, QJsonObject* result) const;
-    int getAssertionOptions(const QJsonObject& publicKeyOptions, const QString& origin, QJsonObject* result) const;
+    int getCredentialCreationOptions(const QJsonObject& publicKeyOptions,
+                                     const QString& origin,
+                                     const QStringList& relatedOrigins,
+                                     QJsonObject* result) const;
+    int getAssertionOptions(const QJsonObject& publicKeyOptions,
+                            const QString& origin,
+                            const QStringList& relatedOrigins,
+                            QJsonObject* result) const;
 
 private:
     Q_DISABLE_COPY(BrowserPasskeysClient);

src/browser/BrowserService.cpp

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2025 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2026 KeePassXC Team <team@keepassxc.org>
  *  Copyright (C) 2017 Sami Vänttinen <sami.vanttinen@protonmail.com>
  *  Copyright (C) 2013 Francois Ferrand
  *
@@ -638,6 +638,7 @@ QString BrowserService::getKey(const QString& id)
 // Passkey registration
 QJsonObject BrowserService::showPasskeysRegisterPrompt(const QJsonObject& publicKeyOptions,
                                                        const QString& origin,
+                                                       const QStringList& relatedOrigins,
                                                        const QString& groupName,
                                                        const StringPairList& keyList)
 {
@@ -647,9 +648,9 @@ QJsonObject BrowserService::showPasskeysRegisterPrompt(const QJsonObject& public
     }
 
     QJsonObject credentialCreationOptions;
-    const auto pkOptionsResult =
-        browserPasskeysClient()->getCredentialCreationOptions(publicKeyOptions, origin, &credentialCreationOptions);
-    if (pkOptionsResult > 0 || credentialCreationOptions.isEmpty()) {
+    const auto pkOptionsResult = browserPasskeysClient()->getCredentialCreationOptions(
+        publicKeyOptions, origin, relatedOrigins, &credentialCreationOptions);
+    if (pkOptionsResult != PASSKEYS_SUCCESS || credentialCreationOptions.isEmpty()) {
         return getPasskeyError(pkOptionsResult);
     }
 
@@ -737,6 +738,7 @@ QJsonObject BrowserService::showPasskeysRegisterPrompt(const QJsonObject& public
 // Passkey authentication
 QJsonObject BrowserService::showPasskeysAuthenticationPrompt(const QJsonObject& publicKeyOptions,
                                                              const QString& origin,
+                                                             const QStringList& relatedOrigins,
                                                              const StringPairList& keyList)
 {
     auto db = getDatabase();
@@ -746,8 +748,8 @@ QJsonObject BrowserService::showPasskeysAuthenticationPrompt(const QJsonObject&
 
     QJsonObject assertionOptions;
     const auto assertionResult =
-        browserPasskeysClient()->getAssertionOptions(publicKeyOptions, origin, &assertionOptions);
-    if (assertionResult > 0 || assertionOptions.isEmpty()) {
+        browserPasskeysClient()->getAssertionOptions(publicKeyOptions, origin, relatedOrigins, &assertionOptions);
+    if (assertionResult != PASSKEYS_SUCCESS || assertionOptions.isEmpty()) {
         return getPasskeyError(assertionResult);
     }
 

src/browser/BrowserService.h

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2025 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2026 KeePassXC Team <team@keepassxc.org>
  *  Copyright (C) 2017 Sami Vänttinen <sami.vanttinen@protonmail.com>
  *  Copyright (C) 2013 Francois Ferrand
  *
@@ -90,10 +90,12 @@ class BrowserService : public QObject
 #ifdef WITH_XC_BROWSER_PASSKEYS
     QJsonObject showPasskeysRegisterPrompt(const QJsonObject& publicKeyOptions,
                                            const QString& origin,
+                                           const QStringList& relatedOrigins,
                                            const QString& groupName,
                                            const StringPairList& keyList);
     QJsonObject showPasskeysAuthenticationPrompt(const QJsonObject& publicKeyOptions,
                                                  const QString& origin,
+                                                 const QStringList& relatedOrigins,
                                                  const StringPairList& keyList);
     void addPasskeyToGroup(const QSharedPointer<Database>& db,
                            Group* group,

src/browser/PasskeyUtils.cpp

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2025 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2026 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -25,6 +25,8 @@
 #include <QList>
 #include <QUrl>
 
+#define MAX_SEEN_LABELS 10
+
 Q_GLOBAL_STATIC(PasskeyUtils, s_passkeyUtils);
 
 PasskeyUtils* PasskeyUtils::instance()
@@ -135,6 +137,37 @@ int PasskeyUtils::validateRpId(const QJsonValue& rpIdValue, const QString& effec
     return PASSKEYS_SUCCESS;
 }
 
+// The steps for validation: https://www.w3.org/TR/webauthn-3/#sctn-validating-relation-origin
+bool PasskeyUtils::validateRelatedOrigins(const QStringList& relatedOrigins, const QString& origin) const
+{
+    QSet<QString> labelsSeen;
+
+    for (const auto& originItem : relatedOrigins) {
+        QString effectiveDomain;
+        if (passkeyUtils()->getEffectiveDomain(originItem, &effectiveDomain) != PASSKEYS_SUCCESS) {
+            continue;
+        }
+
+        const auto label = urlTools()->getBaseDomainFromUrl(originItem, true);
+        if (label.isNull() || label.isEmpty()) {
+            continue;
+        }
+
+        if (labelsSeen.size() >= MAX_SEEN_LABELS && !labelsSeen.contains(label)) {
+            continue;
+        }
+
+        if (originItem == origin) {
+            return true;
+        }
+
+        if (labelsSeen.size() < MAX_SEEN_LABELS) {
+            labelsSeen.insert(label);
+        }
+    }
+    return false;
+}
+
 // https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-publickeycredentialcreationoptions-attestation
 QString PasskeyUtils::parseAttestation(const QString& attestation) const
 {

src/browser/PasskeyUtils.h

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2025 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2026 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -50,6 +50,7 @@ class PasskeyUtils : public QObject
     bool checkCredentialAssertionOptions(const QJsonObject& assertionOptions) const;
     int getEffectiveDomain(const QString& origin, QString* result) const;
     int validateRpId(const QJsonValue& rpIdValue, const QString& effectiveDomain, QString* result) const;
+    bool validateRelatedOrigins(const QStringList& relatedOrigins, const QString& origin) const;
     QString parseAttestation(const QString& attestation) const;
     QJsonArray parseCredentialTypes(const QJsonArray& credentialTypes) const;
     bool isAuthenticatorSelectionValid(const QJsonObject& authenticatorSelection) const;

src/gui/UrlTools.cpp

@@ -1,5 +1,5 @@
 /*
- *  Copyright (C) 2025 KeePassXC Team <team@keepassxc.org>
+ *  Copyright (C) 2026 KeePassXC Team <team@keepassxc.org>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -53,10 +53,13 @@ QUrl UrlTools::getRedirectTarget(QNetworkReply* reply) const
 /**
  * Gets the base domain of URL or hostname.
  *
+ * If returnOnlyLabel is true, return only the Registrable Origin Label:
+ * https://www.w3.org/TR/webauthn-3/#registrable-origin-label
+ *
  * Returns the base domain, e.g. https://another.example.co.uk -> example.co.uk
  * Up-to-date list can be found: https://publicsuffix.org/list/public_suffix_list.dat
  */
-QString UrlTools::getBaseDomainFromUrl(const QString& url) const
+QString UrlTools::getBaseDomainFromUrl(const QString& url, bool returnOnlyLabel) const
 {
     auto qUrl = QUrl::fromUserInput(url);
 
@@ -74,8 +77,11 @@ QString UrlTools::getBaseDomainFromUrl(const QString& url) const
     host.chop(tld.length() + 1);
     // Split the URL and select the last part, e.g. https://another.example -> example
     QString baseDomain = host.split('.').last();
-    // Append the top level domain back to the URL, e.g. example -> example.co.uk
-    baseDomain.append(QString(".%1").arg(tld));
+
+    if (!returnOnlyLabel) {
+        // Append the top level domain back to the URL, e.g. example -> example.co.uk
+        baseDomain.append(QString(".%1").arg(tld));
+    }
 
     return baseDomain;
 }