> the idea is to minimize the number of places one ever checks the caller's anything (especially origin). Why does this spec want to introduce a new way of doing so? Rather than "a new way of doing so", it is a "new occurrence of doing so". Webapp programmers (nee authors) would not themselves be performing this check. From what I have been able to figure out in investigating this issue, as well as others, such as #253 #254 #272 #276, we need to think about structuring the `makeCredential()` and `getAssertion()` algorithms more along the lines of [the `window.postMessage()` algorithm](https://html.spec.whatwg.org/#posting-messages) which also obtains its caller's origin and performs an origin check (and also handles going async). The rationale behind performing a (caller's) origin check is documented in (closed) issue #241 which also references our discussion with the TAG regarding this. thanks for your interest and help. -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/271#issuecomment-269660443 using your GitHub accountReceived on Thursday, 29 December 2016 17:05:58 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:24 UTC