- From: Domenic Denicola via GitHub <sysbot+gh@w3.org>
- Date: Thu, 29 Dec 2016 17:13:14 +0000
- To: public-webauthn@w3.org
Issue #241 was not helpful in figuring out why the *caller's* origin check is appropriate. Stated another way, given ```js // inside window1 window2.navigator.webAuthentication.makeCredential.call(window3.navigator.webAuthentication, ...); ``` why is window1 the window whose origin matters? In general in the platform we would check the origin of window3 here. postMessage() is a special case since *its entire purpose is communicating across origins*. Even so, its checking of the incumbent settings object is a legacy special case that we would eliminate if we could, and some browsers still have hopes of doing so eventually. -- GitHub Notification of comment by domenic Please view or discuss this issue at https://github.com/w3c/webauthn/issues/271#issuecomment-269661496 using your GitHub account
Received on Thursday, 29 December 2016 17:13:20 UTC