W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2018

Re: Proposal: https://example.com/.well-known/modify-credentials

From: Mike West <mkwst@google.com>
Date: Tue, 10 Apr 2018 06:08:36 +0000
Message-ID: <CAKXHy=cBChDoh9Gb8Ko6fENmTXZu-g-J8GOjmpR5UNp31kRK+w@mail.gmail.com>
To: Dan Veditz <dveditz@mozilla.com>
Cc: John Wilander <wilander@apple.com>, Brad Hill <hillbrad@gmail.com>, Jeffrey Yasskin <jyasskin@google.com>, Web Application Security Working Group <public-webappsec@w3.org>
On Mon, Apr 9, 2018 at 9:18 PM Daniel Veditz <dveditz@mozilla.com> wrote:

> On Mon, Apr 9, 2018 at 9:21 AM, John Wilander <wilander@apple.com> wrote:
>
>> Native apps and password managers can just load the URL in the browser or
>> an in-app WebView instead of fetching the JSON, parse it, and then load the
>> page.
>>
>
> Browsers or general purpose apps have to load it once (or a HEAD request
> at least) to see if it exists before showing the user that it's an option​,
> and then load it again when the user selects it. You can't present a Log-in
> button that goes to a 404 page. A site-specific app could rely on that URL
> existing, but then it could just as easily have some other site-specific
> URL built-in.
>
> But we don’t have strong opinions on this.
>>
>
> ​I don't either. I'll ask our password manager folks to chime in.
>

If you're interested in doing something small today (and it sounds like
Jeff at AgileBits is similarly inclined), then I'd suggest that we do
something that's forward-compatible with something more robust tomorrow.
For example, you could reserve a nested path for the change redirect you
initially proposed (something like
`/.well-known/credentials/modification-form`), and reserve the parent
(`/.well-known/credentials/`) for future use. This leaves room for a more
interestingly complicated solution in the future (perhaps a manifest of
some sort could live at that URL, which browsers could consume?), while
enabling baby steps today.

I think I agree with mnot@, by the way, that it would be totally possible
to build in some hidden metadata to each sign-in form which passed
information about change forms to a password manager. My intuition is that
that would have lower adoption by developers, as it would require actual
changes to their application, rather than the injection of a redirect at a
higher layer. It might be useful to talk with developers on this point.

-mike
Received on Tuesday, 10 April 2018 06:09:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 10 April 2018 06:09:18 UTC