- From: Angelo Liao via GitHub <sysbot+gh@w3.org>
- Date: Tue, 01 Nov 2016 19:10:09 +0000
- To: public-webauthn@w3.org
AngeloKai has just created a new issue for https://github.com/w3c/webauthn: == Enforce strict same-origin policy on rpId == Hi everyone! I am a new PM at Edge. I work with Rob and @vijaybh The current spec sets the rpId to the caller’s origin by default and enables callers to explicitly set rpId to a broader scope no larger than the eTLD+1. In most cases, subdomains of the same eTLD+1 are indeed operated and controlled by the same entity. Thus credentials can be shared across subdomains. However, in certain cases, such as hosting sites, the subdomains may be operated by different entities and credentials generated by different domains shouldn’t be shared. Strict same origin policy should be enforced here so that credentials generated by one domain can only be used by that domain. Although adoption may be slightly hindered because some RP want to deploy across origins, we could always open up the policy if needed. It is a convenience rather than necessity. If we give callers the privilege to specify RP ID, we cannot take back the privilege later. Therefore, I proposed that we remove rpId from the IDL of ScopedCredentialOptions. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/241 using your GitHub account
Received on Tuesday, 1 November 2016 19:10:15 UTC