W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2016

Re: [webauthn] callerOrigin isn't actually the origin of the caller; it's the origin of the callee

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Thu, 29 Dec 2016 17:05:52 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-269660443-1483031150-sysbot+gh@w3.org>
> the idea is to minimize the number of places one ever checks the 
caller's anything (especially origin). Why does this spec want to 
introduce a new way of doing so?

Rather than "a new way of doing so", it is a "new occurrence of doing 
so". Webapp programmers (nee authors) would not themselves be 
performing this check.  From what I have been able to figure out in 
investigating this issue, as well as others, such as #253 #254 #272 
#276, we need to think about structuring the `makeCredential()` and 
`getAssertion()` algorithms more along the lines of [the 
algorithm](https://html.spec.whatwg.org/#posting-messages) which also 
obtains its caller's origin and performs an origin check (and also 
handles going async). 

The rationale behind performing a (caller's) origin check is 
documented in (closed) issue #241 which also references our discussion
 with the TAG regarding this. 

thanks for your interest and help.  

GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at 
using your GitHub account
Received on Thursday, 29 December 2016 17:05:58 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:24 UTC