- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Sun, 08 Jan 2017 17:31:53 +0000
- To: public-webauthn@w3.org
> One possible way of resolving this issue and many other related corner cases would be to restrict the API to only top level browsing context, i.e. not in iframes Actually, [AIUI](https://en.wiktionary.org/wiki/AIUI), `makeCredential()` and `getAssertion()` algs will need to be able to determine their caller's origin, regardless. So, yes, AIUI, we _can_ align the web authn API in terms of requiring the above algs to be called from only top-level browsing contexts, but we will still need to assess the "origin of the relevant settings object of this `WebAuthentication` object". Note that the first step of both the "[Request a Cred](https://w3c.github.io/webappsec-credential-management/#request-credential)" and "[Store a Cred](https://w3c.github.io/webappsec-credential-management/#store-credential)" algs in the Credentials management spec is to obtain the `incumbent settings object` (should probably be to obtain the `relevant settings object` but that's not terribly relevant to this discussion). -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/271#issuecomment-271165529 using your GitHub account
Received on Sunday, 8 January 2017 17:32:04 UTC