- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Thu, 29 Dec 2016 17:05:52 +0000
- To: public-webauthn@w3.org
> the idea is to minimize the number of places one ever checks the caller's anything (especially origin). Why does this spec want to introduce a new way of doing so? Rather than "a new way of doing so", it is a "new occurrence of doing so". Webapp programmers (nee authors) would not themselves be performing this check. From what I have been able to figure out in investigating this issue, as well as others, such as #253 #254 #272 #276, we need to think about structuring the `makeCredential()` and `getAssertion()` algorithms more along the lines of [the `window.postMessage()` algorithm](https://html.spec.whatwg.org/#posting-messages) which also obtains its caller's origin and performs an origin check (and also handles going async). The rationale behind performing a (caller's) origin check is documented in (closed) issue #241 which also references our discussion with the TAG regarding this. thanks for your interest and help. -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/271#issuecomment-269660443 using your GitHub account
Received on Thursday, 29 December 2016 17:05:58 UTC