W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2018

Re: Proposal: https://example.com/.well-known/modify-credentials

From: Mike West <mkwst@google.com>
Date: Tue, 10 Apr 2018 06:08:36 +0000
Message-ID: <CAKXHy=cBChDoh9Gb8Ko6fENmTXZu-g-J8GOjmpR5UNp31kRK+w@mail.gmail.com>
To: Dan Veditz <dveditz@mozilla.com>
Cc: John Wilander <wilander@apple.com>, Brad Hill <hillbrad@gmail.com>, Jeffrey Yasskin <jyasskin@google.com>, Web Application Security Working Group <public-webappsec@w3.org>
On Mon, Apr 9, 2018 at 9:18 PM Daniel Veditz <dveditz@mozilla.com> wrote:

> On Mon, Apr 9, 2018 at 9:21 AM, John Wilander <wilander@apple.com> wrote:
>> Native apps and password managers can just load the URL in the browser or
>> an in-app WebView instead of fetching the JSON, parse it, and then load the
>> page.
> Browsers or general purpose apps have to load it once (or a HEAD request
> at least) to see if it exists before showing the user that it's an option​,
> and then load it again when the user selects it. You can't present a Log-in
> button that goes to a 404 page. A site-specific app could rely on that URL
> existing, but then it could just as easily have some other site-specific
> URL built-in.
> But we don’t have strong opinions on this.
> ​I don't either. I'll ask our password manager folks to chime in.

If you're interested in doing something small today (and it sounds like
Jeff at AgileBits is similarly inclined), then I'd suggest that we do
something that's forward-compatible with something more robust tomorrow.
For example, you could reserve a nested path for the change redirect you
initially proposed (something like
`/.well-known/credentials/modification-form`), and reserve the parent
(`/.well-known/credentials/`) for future use. This leaves room for a more
interestingly complicated solution in the future (perhaps a manifest of
some sort could live at that URL, which browsers could consume?), while
enabling baby steps today.

I think I agree with mnot@, by the way, that it would be totally possible
to build in some hidden metadata to each sign-in form which passed
information about change forms to a password manager. My intuition is that
that would have lower adoption by developers, as it would require actual
changes to their application, rather than the injection of a redirect at a
higher layer. It might be useful to talk with developers on this point.

Received on Tuesday, 10 April 2018 06:09:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:03 UTC