[webauthn] Pull Request: Fix #1285 - Remove icons from PublicKeyCredentialEntity

• From: J.C. Jones via GitHub <sysbot+gh@w3.org>
• Date: Tue, 29 Oct 2019 21:43:42 +0000
• To: public-webauthn@w3.org
• Message-ID: <pull_request.opened-333892613-1572385418-sysbot+gh@w3.org>

jcjones has just submitted a new pull request for https://github.com/w3c/webauthn:

== Fix #1285 - Remove icons from PublicKeyCredentialEntity ==
As discussed in issue #1285, the image URL fields for PublicKeyCredentialEntity,
while intended for user interface design, are potent correlation mechanisms if
they are downloaded by RPs. RPs would have to take extraordinary care, beyond
reasonable measures, to avoid uses by RPs with mal-intent to cross-correlate
accounts. It is better for User Agents to use existing origin/icon mechanisms for
their UX designs, or to define new such mechanisms as-needed, that are
origin-wide rather than provide the possibility to embed detailed tracking
information into these URLs.

See https://github.com/w3c/webauthn/pull/1337

Received on Tuesday, 29 October 2019 21:43:44 UTC