W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2018

Re: Proposal: https://example.com/.well-known/modify-credentials

From: Jeffrey Goldberg <jeff@agilebits.com>
Date: Thu, 12 Apr 2018 11:23:40 -0500
Message-Id: <2F5656BB-8F2F-40B2-8006-DE1B14027990@agilebits.com>
Cc: Dan Veditz <dveditz@mozilla.com>, John Wilander <wilander@apple.com>, Brad Hill <hillbrad@gmail.com>, Jeffrey Yasskin <jyasskin@google.com>, Web Application Security Working Group <public-webappsec@w3.org>
To: Mike West <mkwst@google.com>
On Apr 10, 2018, at 1:08 AM, Mike West <mkwst@google.com> wrote:

> If you're interested in doing something small today (and it sounds like Jeff at AgileBits is similarly inclined), then I'd suggest that we do something that's forward-compatible with something more robust tomorrow.

Absolutely. I want something that is dead easy to adopt today by site developers/maintainers. But I want to also treat this is a foot in the door for encouraging a more robust system to follow. The simple thing that we get people to use now should be extensible.

> For example, you could reserve a nested path for the change redirect you initially proposed (something like `/.well-known/credentials/modification-form`), and reserve the parent (`/.well-known/credentials/`) for future use. This leaves room for a more interestingly complicated solution in the future (perhaps a manifest of some sort could live at that URL, which browsers could consume?), while enabling baby steps today.


> I think I agree with mnot@, by the way, that it would be totally possible to build in some hidden metadata to each sign-in form which passed information about change forms to a password manager. My intuition is that that would have lower adoption by developers, as it would require actual changes to their application, rather than the injection of a redirect at a higher layer.

I share your intuition.

Received on Thursday, 12 April 2018 16:24:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:03 UTC