[webauthn] restrict webauthn support to "valid domains"

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== restrict webauthn support to "valid domains" ==
per [URL](https://url.spec.whatwg.org/), the [host](https://url.spec.whatwg.org/#concept-host) component of a [tuple origin](https://html.spec.whatwg.org/#concept-origin-tuple) [[HTML](https://html.spec.whatwg.org/)] "is a domain, an IPv4 address, an IPv6 address, an opaque host, or an empty host". 

In HSTS [[RFC6797](https://tools.ietf.org/html/rfc6797)] we decided to support HSTS Policy for only hosts expressed as domain names:
Appendix A.  Design Decision Notes

   4.  HSTS Hosts are identified only via domain names -- explicit IP
       address identification of all forms is excluded.  This is for
       simplification and also is in recognition of various issues with
       using direct IP address identification in concert with PKI-based

Thus, shall we add restrictions to this effect to WebAuthn?

Proposed update to the "Let |effectiveDomain| be ..." step in both #createCredential and #getAssertion algs:
1. Let |effectiveDomain| be the |callerOrigin|'s [=effective domain=]. 
    If [=effective domain=] is not a [=valid domain=], then return a
    {{DOMException}} whose name is "{{SecurityError}}" and terminate this algorithm.

    Note: [=host=] formats other than [=domain=] -- i.e., [=ipv4 address=],
        [=ipv6 address=], [=opaque host=], or [=empty host=] -- are disallowed.
See also: https://url.spec.whatwg.org/#valid-domain

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/474 using your GitHub account

Received on Wednesday, 24 May 2017 15:36:55 UTC