Re: [webauthn] callerOrigin isn't actually the origin of the caller; it's the origin of the callee

> One possible way of resolving this issue and many other related 
corner cases would be to restrict the API to only top level browsing 
context, i.e. not in iframes
Actually, [AIUI](, 
`makeCredential()` and `getAssertion()` algs will need to be able to 
determine their caller's origin, regardless. 

So, yes, AIUI, we _can_ align the web authn API in terms of requiring 
the above algs to be called from only top-level browsing contexts, but
 we will still need to assess the "origin of the relevant settings 
object of this `WebAuthentication` object". Note that the first step 
of both the "[Request a 
 and "[Store a 
 algs in the Credentials management spec is to obtain the `incumbent 
settings object` (should probably be to obtain the `relevant settings 
object` but that's not terribly relevant to this discussion). 

GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at 
using your GitHub account

Received on Sunday, 8 January 2017 17:32:04 UTC