From 567d5ee7f1f82cd0cf03cf61686fc4202d5f5205 Mon Sep 17 00:00:00 2001
From: Ryan Hiebert <ryan@ryanhiebert.com>
Date: Sat, 3 Aug 2024 11:22:29 -0500
Subject: [PATCH 1/2] Allow localhost subdomains

---
 fido2/rpid.py      | 6 +++++-
 tests/test_rpid.py | 8 ++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/fido2/rpid.py b/fido2/rpid.py
index 2f81fb9..9091215 100644
--- a/fido2/rpid.py
+++ b/fido2/rpid.py
@@ -65,7 +65,11 @@ def verify_rp_id(rp_id: str, origin: str) -> bool:
     # Note that Webauthn requires a secure context, i.e. an origin with https scheme.
     # However, most browsers also treat http://localhost as a secure context. See
     # https://groups.google.com/a/chromium.org/g/blink-dev/c/RC9dSw-O3fE/m/E3_0XaT0BAAJ
-    if url.scheme != "https" and (url.scheme, host) != ("http", "localhost"):
+    if (
+        url.scheme != "https"
+        and (url.scheme, host) != ("http", "localhost")
+        and not (url.scheme == "http" and host.endswith(".localhost"))
+    ):
         return False
     if host == rp_id:
         return True
diff --git a/tests/test_rpid.py b/tests/test_rpid.py
index fae423b..902db08 100644
--- a/tests/test_rpid.py
+++ b/tests/test_rpid.py
@@ -58,3 +58,11 @@ def test_suffix_list(self):
         self.assertTrue(
             verify_rp_id("example.appspot.com", "https://example.appspot.com")
         )
+
+    def test_localhost_http_secure_context(self):
+        # Localhost and subdomains are secure contexts in most browsers
+        self.assertTrue(verify_rp_id("localhost", "http://localhost"))
+        self.assertTrue(verify_rp_id("localhost", "http://example.localhost"))
+        self.assertTrue(verify_rp_id("example.localhost", "http://example.localhost"))
+        self.assertTrue(verify_rp_id("localhost", "http://localhost:8000"))
+

From 16d1115d66df8735e7533cd21715689f4c902f0b Mon Sep 17 00:00:00 2001
From: Ryan Hiebert <ryan@ryanhiebert.com>
Date: Tue, 6 Aug 2024 12:36:20 +0000
Subject: [PATCH 2/2] Fix bugs from CI tests

---
 fido2/rpid.py      | 2 +-
 tests/test_rpid.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fido2/rpid.py b/fido2/rpid.py
index 9091215..3647b6f 100644
--- a/fido2/rpid.py
+++ b/fido2/rpid.py
@@ -68,7 +68,7 @@ def verify_rp_id(rp_id: str, origin: str) -> bool:
     if (
         url.scheme != "https"
         and (url.scheme, host) != ("http", "localhost")
-        and not (url.scheme == "http" and host.endswith(".localhost"))
+        and not (url.scheme == "http" and host and host.endswith(".localhost"))
     ):
         return False
     if host == rp_id:
diff --git a/tests/test_rpid.py b/tests/test_rpid.py
index 902db08..fd95470 100644
--- a/tests/test_rpid.py
+++ b/tests/test_rpid.py
@@ -65,4 +65,4 @@ def test_localhost_http_secure_context(self):
         self.assertTrue(verify_rp_id("localhost", "http://example.localhost"))
         self.assertTrue(verify_rp_id("example.localhost", "http://example.localhost"))
         self.assertTrue(verify_rp_id("localhost", "http://localhost:8000"))
-
+        self.assertFalse(verify_rp_id("localhost", "http://"))