- From: Angelo Liao via GitHub <sysbot+gh@w3.org>
- Date: Wed, 28 Jun 2017 01:01:02 +0000
- To: public-webauthn@w3.org
@equalsJeffH I agree now that webauthn depends upon credman, which is restricted to top-level browsing context, webauthn should be restricted in the same way. However, this restriction appears to be an accidental by-product of the merge rather than a deliberate product. I'd feel much more comfortable closing this issue after we talked it through on the WG call and everyone is on the same page. When we discussed the issue, we should keep the other issue regarding migration of keys in mind: https://github.com/w3c/webauthn/issues/458. At the moment, corp acquiring another company can still get their keys through iframe. The restriction will keep this possibility out. Since I posted the issue, I also heard of conversations from IDPs which whitelists a set of domains which can iframe into the IDP sites. This would be concerning for these IDPs. Based on the above conversations, it appears more conversation may still happen even after we restrict webauthn to top browsing context, including limiting the API to Feature Policy, granting access to same-origin iframe access, etc. If so, we can close this issue and open up another one to track the conversations about exception to the restrictions. -- GitHub Notification of comment by AngeloKai Please view or discuss this issue at https://github.com/w3c/webauthn/issues/374#issuecomment-311527324 using your GitHub account
Received on Wednesday, 28 June 2017 01:01:09 UTC