W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2016

Re: [webauthn] callerOrigin isn't actually the origin of the caller; it's the origin of the callee

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Thu, 29 Dec 2016 17:05:52 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-269660443-1483031150-sysbot+gh@w3.org>
> the idea is to minimize the number of places one ever checks the 
caller's anything (especially origin). Why does this spec want to 
introduce a new way of doing so?

Rather than "a new way of doing so", it is a "new occurrence of doing 
so". Webapp programmers (nee authors) would not themselves be 
performing this check.  From what I have been able to figure out in 
investigating this issue, as well as others, such as #253 #254 #272 
#276, we need to think about structuring the `makeCredential()` and 
`getAssertion()` algorithms more along the lines of [the 
`window.postMessage()` 
algorithm](https://html.spec.whatwg.org/#posting-messages) which also 
obtains its caller's origin and performs an origin check (and also 
handles going async). 

The rationale behind performing a (caller's) origin check is 
documented in (closed) issue #241 which also references our discussion
 with the TAG regarding this. 

thanks for your interest and help.  

-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/271#issuecomment-269660443 
using your GitHub account
Received on Thursday, 29 December 2016 17:05:58 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:24 UTC