- From: Jeffrey Yasskin <jyasskin@google.com>
- Date: Mon, 22 May 2017 09:07:25 -0700
- To: "=JeffH" <Jeff.Hodges@kingsmountain.com>
- Cc: W3C Web Authn WG <public-webauthn@w3.org>, Mike West <mkwst@chromium.org>
- Message-ID: <CANh-dXnx4Nidb7V_K+KJTqE0UmjNXawhXQCPVqN9oVuDfwQvzw@mail.gmail.com>
This advice comes from
https://html.spec.whatwg.org/#realms-settings-objects-global-objects, "In
general, web platform specifications should use the relevant concept,
applied to the object being operated on (usually the this value of the
current method)."
On Mon, May 22, 2017 at 9:02 AM, Jeffrey Yasskin <jyasskin@google.com>
wrote:
> The general thing to do is to use the relevant settings object of the
> 'this' object of the algorithm. In https://w3c.github.io/
> webauthn/#createCredential, [[Create]] is a method of
> the PublicKeyCredential interface object, so that wording's correct.In
> https://w3c.github.io/webauthn/#getAssertion, [[DiscoverFromExternalSource]]
> is also a method of the PublicKeyCredential interface object, so using the
> interface object's relevant settings object would be best there too.
>
> Credential Manager finds those interface objects in https://w3c.github.io/
> webappsec-credential-management/#credentialrequestoptions-
> relevant-credential-interface-objects, which despite being called
> "relevant ... objects", uses the *current* settings object to look up
> interface objects, which means that window1.navigator.credentials.
> get.call(window2.navigator.credentials, ...) will use
> window1.PublicKeyCredential whereas the *relevant* settings object would
> find window2.PublicKeyCredential. This wouldn't matter for uses of the
> origin, but I think because WebAuthn pokes at the effective domain, that
> can be different between the two windows.
>
> Still, I think WebAuthn should stick with the PublicKeyCredential
> interface's relevant settings object, and leave it to Credential Manager to
> call a method on the right interface object.
>
> Jeffrey
>
> On Thu, May 18, 2017 at 2:57 PM, =JeffH <Jeff.Hodges@kingsmountain.com>
> wrote:
>
>> I have some questions for the browser-guts/webIDL experts:
>>
>>
>> A) In section {#createCredential} we say..
>>
>> 1. Let |callerOrigin| be the [=environment settings object/origin=]
>> specified by this {{PublicKeyCredential}} [=interface object=]'s [=relevant
>> settings object=]. ...
>>
>> <https://github.com/w3c/webauthn/blob/22fb7d34a554e01139aa45
>> 8274743d24272f4c52/index.bs#L526>
>>
>>
>> B) In section {#getAssertion} we say..
>>
>> 1. Let |callerOrigin| be the [=environment settings object/origin=] of
>> this {{CredentialsContainer}} object's [=relevant settings object=].
>>
>> <https://github.com/w3c/webauthn/blob/22fb7d34a554e01139aa45
>> 8274743d24272f4c52/index.bs#L718>
>>
>>
>> Which one is correct? Perhaps neither?
>>
>> Q1. It seems to me that in (A), `this {{PublicKeyCredential}}` actually
>> ought to be `this {{CredentialsContainer}}` I.e., the same as (B)) ? Note
>> that CredMan hangs the create() and get() methods off of
>> `{{CredentialsContainer}}`, /not/ `{{Credential}}`.
>>
>> Q2. (B) lacks the term `[=interface object=]'s` that (A) has -- is (B)
>> incorrect?
>>
>> Q3. Any other issues with these assignment statements that y'all
>> expert-types see?
>>
>>
>> thanks!
>>
>> =JeffH
>>
>>
>>
>>
>>
>
Received on Monday, 22 May 2017 16:08:22 UTC