[webauthn] Tighten security scope by port from Anne van Kesteren via GitHub on 2018-04-18 (public-webauthn@w3.org from April 2018)

From: Anne van Kesteren via GitHub <sysbot+gh@w3.org>
Date: Wed, 18 Apr 2018 07:25:46 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-315361226-1524036344-sysbot+gh@w3.org>

annevk has just created a new issue for https://github.com/w3c/webauthn:

== Tighten security scope by port ==
@jeisinger has been looking at restricting cookies/document.domain further. Since those are relatively old features, I was wondering if we could start perhaps by tightening new features build upon the same concepts.

The idea is that instead of the scope being scheme and registrable domain, it's scheme, registrable domain, and port if the port is the default port for the scheme. So effectively add a bit to the comparison. (The scheme part isn't needed for Webauthn as it's secure context only and is ignored for cookies, for what it's worth.)

However, given how https://w3c.github.io/webauthn/#rp-id is defined it seems port isn't even stored so this may not be possible to do?

cc @mikewest 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/873 using your GitHub account

Received on Wednesday, 18 April 2018 07:25:49 UTC