Re: [webauthn] What if callerOrigin is an opaque origin

I see two potential approaches to deal with such situation:

Approach 1:
Some JavaScript without a clear association of a creator browsing 
context could be seen as using the Browser as an "App".

Remember: outside the web use case, Apps can also create such scoped 
authentication credentials.  But instead of scoping the credential to 
some web server the App might be talking to, we scope the credential 
to the App itself.

A web browser apparently can act on behalf of some RP identified by a 
non-opaque origin, or it could act as an App, i.e. within the scope of
 a browser vendor.

Approach 2:
Such opaque origin will never be equal to any other opaque-origin.  
Consequently, it seems impossible at any later point in time to access
 things which have been scoped to such Opaque Origin.
Persistently stored credentials scoped to such Opaque Origin could 
never be re-used at a later point (i.e. after this opaque-origin is 
gone).
Why would someone want to do that?  So we might argue there is no 
point in supporting that and makeCredential would just fail.

Opinions?

-- 
GitHub Notification of comment by rlin1
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/172#issuecomment-247269186 
using your GitHub account

Received on Thursday, 15 September 2016 08:34:20 UTC