W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2016

Relaxing the Same-Origin Restriction (Issue #256)

From: J.C. Jones <jc@mozilla.com>
Date: Tue, 20 Dec 2016 16:04:52 -0700
Message-ID: <CAObDDPAnJ_s533ig5inrmBF9DrSQNfotUGTmJ1ZeNNS86TDcEw@mail.gmail.com>
To: W3C WebAuthn WG <public-webauthn@w3.org>
Boris pointed out in Issue #256 [1] that our use of the *relaxing the
same-origin restriction* procedure from HTML5.1 was under-specified in
several ways, writing that it is "not clear whether [we] actually want the
interaction with sandboxing that the document.domain setter has", nor
"whether [we] actually want the behavior to be affected by previous
document.domain set [operations]". Also, it wasn't clear if we should be
pointing to W3C version of the spec, or the WHATWG version.

This has proven a hang-up to me in my draft implementation for Firefox,
too, so I've taken a stab at resolving this.

Boris suggested we either work up-stream with one of the HTML5 WGs to pull
the procedure out into a named algorithm, or copy it into our document.
After some consideration, I decided to copy it so that we can explicitly
define answers to Boris' questions above - particularly, what the
interaction is between "relaxing" an rpId and previous calls to the setter
for document.domain.

My PR, #314 [2], tries to answer these things by:

   1. Extracting the procedure from WHATWG's HTML51 into a forked algorithm.
   2. Adjusting said algorithm to operate on a Document's "original Domain"
   so as to be independent of previous document.domain set operations. This
   replaces the language of "effective domain".
   3. Keeping the sandboxing interactions, though I'm not entirely versed
   in whether there are problematic corner cases here.

This change necessarily adds normative reference to the Public Suffix List
(which was transitively referenced via normative reference from HTML51
before), and also to the URL specification (also previously transitive from
HTML51).
Unfortunately, I'll be on a plane tomorrow during our call. I trust
everyone will make good use of the opportunity to make snide remarks on
this PR. :)

[1] https://github.com/w3c/webauthn/issues/256#issue-187403182
[2] https://github.com/w3c/webauthn/pull/314
Received on Tuesday, 20 December 2016 23:05:45 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:24 UTC