Re: Proposal: https://example.com/.well-known/modify-credentials from Daniel Veditz on 2018-04-09 (public-webappsec@w3.org from April 2018)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 9 Apr 2018 12:12:53 -0700
To: John Wilander <wilander@apple.com>
Cc: Brad Hill <hillbrad@gmail.com>, Jeffrey Yasskin <jyasskin@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADYDTCDo3XEPoQY8TZWLD=1Yq99pjr3W7kmRyR3W4yv1WX5+Dw@mail.gmail.com>

On Mon, Apr 9, 2018 at 9:21 AM, John Wilander <wilander@apple.com> wrote:

> Native apps and password managers can just load the URL in the browser or
> an in-app WebView instead of fetching the JSON, parse it, and then load the
> page.
>

Browsers or general purpose apps have to load it once (or a HEAD request at
least) to see if it exists before showing the user that it's an option,
and then load it again when the user selects it. You can't present a Log-in
button that goes to a 404 page. A site-specific app could rely on that URL
existing, but then it could just as easily have some other site-specific
URL built-in.

But we don’t have strong opinions on this.
>

I don't either. I'll ask our password manager folks to chime in.

-Dan Veditz

Received on Monday, 9 April 2018 19:13:41 UTC