- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Fri, 10 May 2019 18:43:02 +0000
- To: public-webauthn@w3.org
@emlun > Do we also need to say something about what this means for what RP IDs are permitted in various contexts? short answer: I don't think so. long answer: The [RP ID](https://w3c.github.io/webauthn/#rp-id) text itself takes into account only the caller's effective domain et al. It does not discuss cross-originess. longer answer: we need to think thru the ramifications of feature-policy's cross-origin enablement-ness. e.g., if credman+webauthn is invoked from a context that is _not_ `SameOriginWithAncestors`, though, _is_ "allowed to run", _should_ it run? Various folks are asking for the answer to be "yes, it should run". This would impact the language wrt `SameOriginWithAncestors` within the #createCred and #getAssertion algs. Also, some guidance we've heard wrt enabling webauthn in cross-origin nested browsing contexts is that a key aspect to it will be materializing some guidance to the user, like having the UA and/or authenticator materialize a UX that clearly designates the context of such cross-origin interactions to users, I.e., we need to explain to users that their login to example.com is being handled by foobar.baz and it's legit, and that it's under UA control and not a phish. -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1214#issuecomment-491391966 using your GitHub account
Received on Friday, 10 May 2019 18:43:04 UTC