[webauthn] Enforce strict same-origin policy on rpId

AngeloKai has just created a new issue for 

== Enforce strict same-origin policy on rpId ==
Hi everyone! I am a new PM at Edge. I work with Rob and @vijaybh 

The current spec sets the rpId to the caller’s origin by default and 
enables callers to explicitly set rpId to a broader scope no larger 
than the eTLD+1. In most cases, subdomains of the same eTLD+1 are 
indeed operated and controlled by the same entity. Thus credentials 
can be shared across subdomains. However, in certain cases, such as 
hosting sites, the subdomains may be operated by different entities 
and credentials generated by different domains shouldn’t be shared. 
Strict same origin policy should be enforced here so that credentials 
generated by one domain can only be used by that domain. 

Although adoption may be slightly hindered because some RP want to 
deploy across origins, we could always open up the policy if needed. 
It is a convenience rather than necessity. If we give callers the 
privilege to specify RP ID, we cannot take back the privilege later. 

Therefore, I proposed that we remove rpId from the IDL of 

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/241 using your GitHub account

Received on Tuesday, 1 November 2016 19:10:15 UTC