equalsJeffH has just created a new issue for https://github.com/w3c/webauthn: == restrict webauthn support to "valid domains" == per [URL](https://url.spec.whatwg.org/), the [host](https://url.spec.whatwg.org/#concept-host) component of a [tuple origin](https://html.spec.whatwg.org/#concept-origin-tuple) [[HTML](https://html.spec.whatwg.org/)] "is a domain, an IPv4 address, an IPv6 address, an opaque host, or an empty host". In HSTS [[RFC6797](https://tools.ietf.org/html/rfc6797)] we decided to support HSTS Policy for only hosts expressed as domain names: ``` Appendix A. Design Decision Notes [...] 4. HSTS Hosts are identified only via domain names -- explicit IP address identification of all forms is excluded. This is for simplification and also is in recognition of various issues with using direct IP address identification in concert with PKI-based security. ``` Thus, shall we add restrictions to this effect to WebAuthn? Proposed update to the "Let |effectiveDomain| be ..." step in both #createCredential and #getAssertion algs: ``` 1. Let |effectiveDomain| be the |callerOrigin|'s [=effective domain=]. If [=effective domain=] is not a [=valid domain=], then return a {{DOMException}} whose name is "{{SecurityError}}" and terminate this algorithm. Note: [=host=] formats other than [=domain=] -- i.e., [=ipv4 address=], [=ipv6 address=], [=opaque host=], or [=empty host=] -- are disallowed. ``` See also: https://url.spec.whatwg.org/#valid-domain Please view or discuss this issue at https://github.com/w3c/webauthn/issues/474 using your GitHub accountReceived on Wednesday, 24 May 2017 15:36:55 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:26 UTC