bzbarsky has just created a new issue for https://github.com/w3c/webauthn: == _rpId_ generation allows more relaxation of same-origin restrictions than document.domain does == Providing an rpId of "foo.com" would lead to a single rpId being allowed to be shared by "http://foo.com", "https://foo.com", and "https://foo.com:8080". The first may not be a problem because this API is secure context only, but is it intended that "https://foo.com" and "https://foo.com:8080" be able to share an rpId? If not, this needs to be fixed in the spec. If this is intended, it may be worth a note calling it out, because this is a quite surprising deviation from how same-origin policy normally works. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/260 using your GitHub accountReceived on Friday, 4 November 2016 18:44:07 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:23 UTC