How about we do something akin to domain lowering: ``` dictionary CredentialOptions { unsigned long timeoutSeconds; DOMString rpId; sequence < CredentialDescription > excludeList; WebAuthnExtensions extensions; }; ``` rpId would be optional, and if left unspecified, the caller's origin shall be used. If it *is* specified, then valid values are postfixes of the caller's origin, up to - but no further than - eTLD+1. We'd have to define what happens to the scheme and port of the caller's origin, but I assume domain lowering already deals with this in some way (i.e., both http://foo.example.com:1234 and https://foo.example.com:9876 are allowed to lower to "example.com"). -- GitHub Notification of comment by balfanz Please view or discuss this issue at https://github.com/w3c/webauthn/pull/162#issuecomment-243838435 using your GitHub accountReceived on Wednesday, 31 August 2016 17:28:26 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:22 UTC