Re: [webauthn] callerOrigin isn't actually the origin of the caller; it's the origin of the callee from Angelo Liao via GitHub on 2017-01-07 (public-webauthn@w3.org from January 2017)

From: Angelo Liao via GitHub <sysbot+gh@w3.org>
Date: Sat, 07 Jan 2017 01:02:50 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-271049709-1483750968-sysbot+gh@w3.org>

One possible way of resolving this issue and many other related corner
 cases would be to restrict the API to only top level browsing 
context, i.e. not in iframes. As far as I can recall, I haven't seen a
 web page that puts login flow inside a iframe. Earlier in discussions
 over whether we should give developers option to relax the same 
origin restrictions, some proposed a workaround for sites like Google 
to put login flow inside a iframe. But since we do give the developers
 such ability, I can't see the benefit of giving developers such 
capability. 

Such restriction was done before too. The credential management API, 
another API to improve the login flow and manage credentials, is only 
available on top level browsing context. @equalsJeffH what do you 
think?

-- 
GitHub Notification of comment by AngeloKai
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/271#issuecomment-271049709 
using your GitHub account

Received on Saturday, 7 January 2017 01:02:56 UTC