W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2017

[webauthn] restrict webauthn support to "valid domains"

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 24 May 2017 15:36:48 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-231082980-1495640206-sysbot+gh@w3.org>
equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== restrict webauthn support to "valid domains" ==
per [URL](https://url.spec.whatwg.org/), the [host](https://url.spec.whatwg.org/#concept-host) component of a [tuple origin](https://html.spec.whatwg.org/#concept-origin-tuple) [[HTML](https://html.spec.whatwg.org/)] "is a domain, an IPv4 address, an IPv6 address, an opaque host, or an empty host". 

In HSTS [[RFC6797](https://tools.ietf.org/html/rfc6797)] we decided to support HSTS Policy for only hosts expressed as domain names:
Appendix A.  Design Decision Notes

   4.  HSTS Hosts are identified only via domain names -- explicit IP
       address identification of all forms is excluded.  This is for
       simplification and also is in recognition of various issues with
       using direct IP address identification in concert with PKI-based

Thus, shall we add restrictions to this effect to WebAuthn?

Proposed update to the "Let |effectiveDomain| be ..." step in both #createCredential and #getAssertion algs:
1. Let |effectiveDomain| be the |callerOrigin|'s [=effective domain=]. 
    If [=effective domain=] is not a [=valid domain=], then return a
    {{DOMException}} whose name is "{{SecurityError}}" and terminate this algorithm.

    Note: [=host=] formats other than [=domain=] -- i.e., [=ipv4 address=],
        [=ipv6 address=], [=opaque host=], or [=empty host=] -- are disallowed.
See also: https://url.spec.whatwg.org/#valid-domain

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/474 using your GitHub account
Received on Wednesday, 24 May 2017 15:36:55 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:26 UTC