Re: [webauthn] callerOrigin isn't actually the origin of the caller; it's the origin of the callee

Issue #241 was not helpful in figuring out why the *caller's* origin 
check is appropriate. Stated another way, given

```js
// inside window1
window2.navigator.webAuthentication.makeCredential.call(window3.navigator.webAuthentication,
 ...);
```

why is window1 the window whose origin matters? In general in the 
platform we would check the origin of window3 here.

postMessage() is a special case since *its entire purpose is 
communicating across origins*. Even so, its checking of the incumbent 
settings object is a legacy special case that we would eliminate if we
 could, and some browsers still have hopes of doing so eventually.

-- 
GitHub Notification of comment by domenic
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/271#issuecomment-269661496 
using your GitHub account

Received on Thursday, 29 December 2016 17:13:20 UTC