Re: [webauthn] Please coordinate with the HTML spec to extract the relevant bits of the document.domain setter so you can call them from Jonathan Watt via GitHub on 2017-01-11 (public-webauthn@w3.org from January 2017)

From: Jonathan Watt via GitHub <sysbot+gh@w3.org>
Date: Wed, 11 Jan 2017 13:28:48 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-271868235-1484141326-sysbot+gh@w3.org>

Why is document.domain being used in WebAuthn? To quote Bobby Holley 
in https://bugzilla.mozilla.org/show_bug.cgi?id=1329764#c2

> We should absolutely not be building any support for document.domain
 (or any analogous machinery) into new specs. It mostly breaks the 
security model of the web, and vendors have gone to great lengths to 
reduce document.domain support to the bare minimum required for 
web-compat.

It seems like WebAuthn is one spec where we should have the APIs throw
 if document.domain has been set to push websites towards using 
pushMessage instead. That's particularly the case since it's the big 
sites like FB that we need to push away from document.domain in order 
to deprecate document.domain, and they're likely to want to have 
WebAuthn support.

-- 
GitHub Notification of comment by jwatt
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/256#issuecomment-271868235 
using your GitHub account

Received on Wednesday, 11 January 2017 13:28:54 UTC