I can see the browser plugin respond to in the background under the GRC client. Neither one is aware of the other so this is working as it should. What concerns me though is the lack of consistency between clients.
I don't think I should be getting the "NO Identity Spoof Protection" warning. I don't get it when logging into this forum. I started using the https://github.com/mikevh/sqrl project as a base for my website. This project seems to work for basic authentication, but lacks the other features and hasn't been updated in several months. I don't get the warning for my website.
My main skill set is SQL Server Administration. I used to do some old-school ASP then web forms in ASP.NET so I picked up a gig between jobs to create an MVC website so I'm still pretty green with this MVC middleware thing. I'll help out where I can.
You must have updated your website w/ the new build. The IOS client now works using the QR code and using Chrome browser for IOS.
The GRC client still doesn't take over using Chrome browser and still get a the warning from GRC client when using Edge.
Interesting I do get the warning everywhere with GRCs client ⁉
The project you highlighted is very basic and I assumed to be dead and the nuts in my opinion are not correct although crypot safe random they could duplicate my implementation tries to reduce that by using date time to a high frequency. Also I created SqrlForNet as I wanted a NuGet package so i can use it over and over.
I'm not sure why you don't get it for your own sites I would be interested to see some network logs or for SqrlForNet there is a nice ?diag page you can go to which will wipe every time the server restarts. Also in the GRC client there are some options (see second image) what are yours set to for the identity your using?
Attachments
Yeah as soon as the package is live my website gets patched which is about 5 minutes cycle time.
The forum admin must of only approved your message at the same time as m last so ill let you respond to that but glad the iOS client works now
Check out https://www.grc.com/sqrl/nospoof.htm
I just cloned your git repo to my local development environment and ran it in VS. Still got the warning.
I just cloned your git repo to my local development environment and ran it in VS. Still got the warning.
Attachments
If you have the repo can you run the InMemory example and grab the diagnostics page output by going to /login-sqrl?duag ad post the results I might be able to see why we get this for sure but I'm remembering somth8ng about the CPS option not been sent.
Ok so it is that the CSP is not sent which is on my list for 1.0.0 so if you can live with it for the next two days i should have it sorted i just need to get some request fired off to the local SQRL client to wake up the localhost server it runs
The WebExtension only stops the native "link following" when you click on a
sqrl:// link (with evt.preventDefault()), it does not attempt to stop any other javascript event handlers from working.So if your javascript has an
onclick handler attached to the anchor it will run before the WebExtensions' onclick handler or after it.
Thanks @Has now I have my head around the spoof issue @Deliver talking about I can see how it would work.
The current InMemory example on my repo or my personal website https://www.liamraper.me.uk/SignIn is a good place to see this.
Also there the link https://www.grc.com/sqrl/nospoof.htm and do the anti-spoof page although I think @Steve's client is the only one to do the spoof check from my testing.
Funny, the Chrome extension has a warning on https://www.grc.com/sqrl/nospoof.htm but not on https://www.liamraper.me.uk/SignIn.
The GRC client does have a warning on https://www.liamraper.me.uk/SignIn when using Edge and doesn't pop up at all when using Chrome.
The GRC client does have a warning on https://www.liamraper.me.uk/SignIn when using Edge and doesn't pop up at all when using Chrome.
Just to make sure when you say GRCs not showing at all in Chrome you have the chrome extention? Which until I have done the CSP stuff will intercept the only request to a SQRL client
@TechLiam on what grounds should my client trigger a spoof warning for your site?
My requests to
https://www.liamraper.me.uk/login-sqrl?nut=XXXX return a tif=00000005 which i interpret as tif=5 which is 1 + 4, ID_MATCH + IP_MATCH.
That was my thinking as well as the Id is a new one I say it matches as I allow creation of users and your IP will match as your on the same public network. The GRC client seams to not send CSP in opts unless you do the .gif image request to it where as if I remember from my testing of the Firefox (I haven't been able to do chrome yet) plugin you send it anyway as you know your on the browser so has to be the same device or that why I assumed you did that
Well that is very interesting so to summarise on my end what i have figured out
To stop the spoof warning in the GRC client you have to make the http://localhost:25519/*.gif query (which i knew already just was having issues with CORS https://sqrl.grc.com/threads/the-ht...ry-and-cors-same-origin-same-site-policy.910/). After the help @Jaap gave me on the thread https://sqrl.grc.com/threads/the-ht...ry-and-cors-same-origin-same-site-policy.910/ now using the following code
When you click the login link in FireFox/IE/Edge it will not show the spoof message.
When you click the login link in Chrome it will show the spoof message this is due to Chrome blocking the image request (see attacked GRC spoof failing.png)
As can be seen in the FireFox screenshot the image request is successful and when i enter my password it logs me in with out a spoof warning where as Chrome is showing the warning screen.
I have tried http/https and sqrl for the schemes for the image request but all fail in the same way I have updated the custom login page example in the repo here https://github.com/TechLiam/SQRL-For-Dot-Net-Standard/tree/master/Examples/CustomLoginPage with this change as it working in most of the browsers.
It was interesting that Chrome failing on the GRC diagnostics page.
The screenshots are of the GRC site as that was the best way for me to ensure we all have a clean testing bed for working this issue out but the example site in the middlewares repo also have the same result
I have also updated my personal website to use the gif query as well which works well for my FireFox/IE/Edge as far as login goes
To stop the spoof warning in the GRC client you have to make the http://localhost:25519/*.gif query (which i knew already just was having issues with CORS https://sqrl.grc.com/threads/the-ht...ry-and-cors-same-origin-same-site-policy.910/). After the help @Jaap gave me on the thread https://sqrl.grc.com/threads/the-ht...ry-and-cors-same-origin-same-site-policy.910/ now using the following code
JavaScript:
var gifProbe = new Image();
gifProbe.onload = function() {
// e.getAttribute("sqrl-href") is the base64 URL
document.location.href = "https://localhost:25519/"+ e.getAttribute("sqrl-href");
};
gifProbe.onerror = function() {
setTimeout( function(){ gifProbe.src = "https://localhost:25519/" + Date.now() + '.gif'; }, 250 );
};
gifProbe.onerror();When you click the login link in FireFox/IE/Edge it will not show the spoof message.
When you click the login link in Chrome it will show the spoof message this is due to Chrome blocking the image request (see attacked GRC spoof failing.png)
As can be seen in the FireFox screenshot the image request is successful and when i enter my password it logs me in with out a spoof warning where as Chrome is showing the warning screen.
I have tried http/https and sqrl for the schemes for the image request but all fail in the same way I have updated the custom login page example in the repo here https://github.com/TechLiam/SQRL-For-Dot-Net-Standard/tree/master/Examples/CustomLoginPage with this change as it working in most of the browsers.
It was interesting that Chrome failing on the GRC diagnostics page.
The screenshots are of the GRC site as that was the best way for me to ensure we all have a clean testing bed for working this issue out but the example site in the middlewares repo also have the same result
I have also updated my personal website to use the gif query as well which works well for my FireFox/IE/Edge as far as login goes
Attachments
Last edited:
Having look into this some more it seams my Chrome browser might be doing some HSTS stuff so forcing the .gif request to be over HTTPS which the GRC client is not to respond to (rightly as its not a secure connection there would be no cert).
In Postman I can make the request to http://localhost:25519/*.gif and get 200 OK back but to https://localhost:25519/*.gif i get a long long time waiting which results in a time out in a browser.
In Postman I can make the request to http://localhost:25519/*.gif and get 200 OK back but to https://localhost:25519/*.gif i get a long long time waiting which results in a time out in a browser.
Ok I'm happy to call it a local issue unless anyone else reports issues with this but it probably to do with my computerate controlled Chrome as i just started an Azure VM that i have and installed Chrome and GRC's SQRL client and looking in developer tools for that it is successful in the image request for my personal site so works as @DEllner highlighted it should.
I would have not noticed this as my testing in Chrome was always showing the spoof message just shows testing every browser is not everything you should do I will be doing more testing on that VM from now on in.
I would have not noticed this as my testing in Chrome was always showing the spoof message just shows testing every browser is not everything you should do I will be doing more testing on that VM from now on in.
