Re: [webauthn] Clarify 127.0.0.1 in spec (#1204) from gmandyam via GitHub on 2019-05-17 (public-webauthn@w3.org from May 2019)

From: gmandyam via GitHub <sysbot+gh@w3.org>
Date: Fri, 17 May 2019 19:02:34 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-493564265-1558119753-sysbot+gh@w3.org>

@emlun

Sorry - let me try and get back to what I believe is the issue with the spec. The spec is ambiguous as to the use of localhost as a valid origin for a secure context. The reason is it ambiguous is that the Secure Context spec itself is ambiguous - see https://www.w3.org/TR/secure-contexts/#localhost.

The algm. provided in the Secure Context's spec makes a special allowance for 127.0.0.1 - see https://www.w3.org/TR/secure-contexts/#is-origin-trustworthy. However it is silent as to whether localhost can be even "potentially trustworthy." So I filed an issue so that the spec can clarify this. I don't believe it is constructive to file an issue without suggesting a potential resolution, so I did. In hindsight, that was a mistake because we have now gone down several side explorations on DNS resolution, browser permissions, host files and self-signed certs. This was all informative, but outside the scope of the spec.

The Chrome browser currently allows https://localhost but does not allow https://127.0.0.1 to access the Webauthn API (if I understood @agl correctly - sorry, I only do testing on FF so I have not confirmed myself). To me, this does not seem to be consistent with the Secure Context algorithm(s) for determining if a domain is trustworthy or potentially-trustworthy. If this is the expected browser behavior, then it should be called out in the spec - e.g. in the note in https://www.w3.org/TR/webauthn/#rp-id.

Regarding any potential risks with RP ID that could occur modifying the hosts file, DNS entries, etc. - this could be documented as well - maybe in the Security Considerations section under a new section on domain authentication. However, that is not what was intended when filing this issue. That would be something to consider in a separate issue/PR.

--
GitHub Notification of comment by gmandyam
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1204#issuecomment-493564265 using your GitHub account

Received on Friday, 17 May 2019 19:02:36 UTC