"The operation is insecure." On navigator.credentials.create() on firefox using Mailcow

Question

I'm trying to register a fido2 device in Mailcow using Firefox 95.0.2. When trying to do so, the Registration Status field announces:

The operation is insecure.

I've managed to track the error down to this line:

return navigator.credentials.create(createCredentialArgs);

Where createCredentialArgs is:

{"publicKey":{"rp":{"name":"WebAuthn Library","id":"subdomain.domain.tld:port"},"authenticatorSelection":{"userVerification":"preferred","requireResidentKey":true},"user":{"id":"=?BINARY?B?YWRtaW4=?=","name":"admin","displayName":"admin"},"pubKeyCredParams":[{"type":"public-key","alg":-7},{"type":"public-key","alg":-257}],"attestation":"direct","extensions":{"exts":true},"timeout":30000,"challenge":"=?BINARY?B?AJpcm\/8fHdnFDt60yDig2j14XLKtQmJfvslXLPIFj0g=?=","excludeCredentials":[]}}

The server uses a custom CA certificate present on the Mailcow installation, the client's host and Firefox.

Any ideas on why?

Answer 1

After doing some more testing with Edge (and discovering the "thisisunsafe" trick), I've discovered that WebAuthn isn't a big fan of ports. So, it didn't like: "id":"subdomain.domain.tld:port".

Replacing $_SERVER['SERVER_NAME'] where $_SERVER['HTTP_HOST'] when initializing the $WebAuthn Variable fixed the issue.

Basically navigator.credentials.create() doesn't accept ids with ports.