Re: [webauthn] Please coordinate with the HTML spec to extract the relevant bits of the document.domain setter so you can call them

Why is document.domain being used in WebAuthn? To quote Bobby Holley 

> We should absolutely not be building any support for document.domain
 (or any analogous machinery) into new specs. It mostly breaks the 
security model of the web, and vendors have gone to great lengths to 
reduce document.domain support to the bare minimum required for 

It seems like WebAuthn is one spec where we should have the APIs throw
 if document.domain has been set to push websites towards using 
pushMessage instead. That's particularly the case since it's the big 
sites like FB that we need to push away from document.domain in order 
to deprecate document.domain, and they're likely to want to have 
WebAuthn support.

GitHub Notification of comment by jwatt
Please view or discuss this issue at 
using your GitHub account

Received on Wednesday, 11 January 2017 13:28:54 UTC