- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Wed, 24 May 2017 15:36:48 +0000
- To: public-webauthn@w3.org
equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:
== restrict webauthn support to "valid domains" ==
per [URL](https://url.spec.whatwg.org/), the [host](https://url.spec.whatwg.org/#concept-host) component of a [tuple origin](https://html.spec.whatwg.org/#concept-origin-tuple) [[HTML](https://html.spec.whatwg.org/)] "is a domain, an IPv4 address, an IPv6 address, an opaque host, or an empty host".
In HSTS [[RFC6797](https://tools.ietf.org/html/rfc6797)] we decided to support HSTS Policy for only hosts expressed as domain names:
```
Appendix A. Design Decision Notes
[...]
4. HSTS Hosts are identified only via domain names -- explicit IP
address identification of all forms is excluded. This is for
simplification and also is in recognition of various issues with
using direct IP address identification in concert with PKI-based
security.
```
Thus, shall we add restrictions to this effect to WebAuthn?
Proposed update to the "Let |effectiveDomain| be ..." step in both #createCredential and #getAssertion algs:
```
1. Let |effectiveDomain| be the |callerOrigin|'s [=effective domain=].
If [=effective domain=] is not a [=valid domain=], then return a
{{DOMException}} whose name is "{{SecurityError}}" and terminate this algorithm.
Note: [=host=] formats other than [=domain=] -- i.e., [=ipv4 address=],
[=ipv6 address=], [=opaque host=], or [=empty host=] -- are disallowed.
```
See also: https://url.spec.whatwg.org/#valid-domain
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/474 using your GitHub account
Received on Wednesday, 24 May 2017 15:36:55 UTC