>> nominally steps 4 - 7 (inclusive) of the domain attribute setter defined hereabouts > OK. So if a page is loaded from "https://foo.bar.com" and then sets document.domain to "bar.com", should it be able to use "foo.bar.com" as its rpId? Sounds to me like you're saying it shouldn't be able to.... Our present intent (if it is correct) is that even if "https://foo.bar.com" is loaded and then sets document.domain to "bar.com", it *would* still be able to assert "foo.bar.com" as its rpId. -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/256#issuecomment-268906588 using your GitHub accountReceived on Thursday, 22 December 2016 22:39:40 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:24 UTC