[webauthn] _rpId_ generation allows more relaxation of same-origin restrictions than document.domain does from Boris Zbarsky via GitHub on 2016-11-04 (public-webauthn@w3.org from November 2016)

From: Boris Zbarsky via GitHub <sysbot+gh@w3.org>
Date: Fri, 04 Nov 2016 18:44:01 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-187409710-1478285039-sysbot+gh@w3.org>

bzbarsky has just created a new issue for 
https://github.com/w3c/webauthn:

== _rpId_ generation allows more relaxation of same-origin 
restrictions than document.domain does ==
Providing an rpId of "foo.com" would lead to a single rpId being 
allowed to be shared by "http://foo.com", "https://foo.com", and 
"https://foo.com:8080".  The first may not be a problem because this 
API is secure context only, but is it intended that "https://foo.com" 
and "https://foo.com:8080" be able to share an rpId?  If not, this 
needs to be fixed in the spec.  If this is intended, it may be worth a
 note calling it out, because this is a quite surprising deviation 
from how same-origin policy normally works.

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/260 using your GitHub account

Received on Friday, 4 November 2016 18:44:07 UTC