W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2018

Re: Proposal: https://example.com/.well-known/modify-credentials

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 9 Apr 2018 12:12:53 -0700
Message-ID: <CADYDTCDo3XEPoQY8TZWLD=1Yq99pjr3W7kmRyR3W4yv1WX5+Dw@mail.gmail.com>
To: John Wilander <wilander@apple.com>
Cc: Brad Hill <hillbrad@gmail.com>, Jeffrey Yasskin <jyasskin@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Apr 9, 2018 at 9:21 AM, John Wilander <wilander@apple.com> wrote:

> Native apps and password managers can just load the URL in the browser or
> an in-app WebView instead of fetching the JSON, parse it, and then load the
> page.

Browsers or general purpose apps have to load it once (or a HEAD request at
least) to see if it exists before showing the user that it's an option​,
and then load it again when the user selects it. You can't present a Log-in
button that goes to a 404 page. A site-specific app could rely on that URL
existing, but then it could just as easily have some other site-specific
URL built-in.

But we don’t have strong opinions on this.

​I don't either. I'll ask our password manager folks to chime in.

-Dan Veditz
Received on Monday, 9 April 2018 19:13:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:03 UTC