Re: [webauthn] callerOrigin isn't actually the origin of the caller; it's the origin of the callee

One possible way of resolving this issue and many other related corner
 cases would be to restrict the API to only top level browsing 
context, i.e. not in iframes. As far as I can recall, I haven't seen a
 web page that puts login flow inside a iframe. Earlier in discussions
 over whether we should give developers option to relax the same 
origin restrictions, some proposed a workaround for sites like Google 
to put login flow inside a iframe. But since we do give the developers
 such ability, I can't see the benefit of giving developers such 

Such restriction was done before too. The credential management API, 
another API to improve the login flow and manage credentials, is only 
available on top level browsing context. @equalsJeffH what do you 

GitHub Notification of comment by AngeloKai
Please view or discuss this issue at 
using your GitHub account

Received on Saturday, 7 January 2017 01:02:56 UTC