- From: Hodges, Jeff <jeff.hodges@paypal.com>
- Date: Wed, 24 May 2017 16:40:46 +0000
- To: Jeffrey Yasskin <jyasskin@google.com>
- CC: W3C Web Authn WG <public-webauthn@w3.org>, Mike West <mkwst@chromium.org>, =JeffH <Jeff.Hodges@kingsmountain.com>
- Message-ID: <82626D96-9713-43A6-96DF-2F7471BA5FB0@paypal.com>
Hey thx Jeffrey for the below info. I believe I've applied this in commits I pushed this morning, see diffs in PR #464 https://github.com/w3c/webauthn/pull/464
thanks for your help on this.
=JeffH
On 5/22/17, 9:07 AM, "Jeffrey Yasskin" <jyasskin@google.com<mailto:jyasskin@google.com>> wrote:
This advice comes from https://html.spec.whatwg.org/#realms-settings-objects-global-objects, "In general, web platform specifications should use the relevant concept, applied to the object being operated on (usually the this value of the current method)."
On Mon, May 22, 2017 at 9:02 AM, Jeffrey Yasskin <jyasskin@google.com<mailto:jyasskin@google.com>> wrote:
The general thing to do is to use the relevant settings object of the 'this' object of the algorithm. In https://w3c.github.io/webauthn/#createCredential, [[Create]] is a method of the PublicKeyCredential interface object, so that wording's correct.In https://w3c.github.io/webauthn/#getAssertion, [[DiscoverFromExternalSource]] is also a method of the PublicKeyCredential interface object, so using the interface object's relevant settings object would be best there too.
Credential Manager finds those interface objects in https://w3c.github.io/webappsec-credential-management/#credentialrequestoptions-relevant-credential-interface-objects, which despite being called "relevant ... objects", uses the *current* settings object to look up interface objects, which means that window1.navigator.credentials.get.call(window2.navigator.credentials, ...) will use window1.PublicKeyCredential whereas the *relevant* settings object would find window2.PublicKeyCredential. This wouldn't matter for uses of the origin, but I think because WebAuthn pokes at the effective domain, that can be different between the two windows.
Still, I think WebAuthn should stick with the PublicKeyCredential interface's relevant settings object, and leave it to Credential Manager to call a method on the right interface object.
Jeffrey
On Thu, May 18, 2017 at 2:57 PM, =JeffH <Jeff.Hodges@kingsmountain.com<mailto:Jeff.Hodges@kingsmountain.com>> wrote:
I have some questions for the browser-guts/webIDL experts:
A) In section {#createCredential} we say..
1. Let |callerOrigin| be the [=environment settings object/origin=] specified by this {{PublicKeyCredential}} [=interface object=]'s [=relevant settings object=]. ...
<https://github.com/w3c/webauthn/blob/22fb7d34a554e01139aa458274743d24272f4c52/index.bs#L526>
B) In section {#getAssertion} we say..
1. Let |callerOrigin| be the [=environment settings object/origin=] of this {{CredentialsContainer}} object's [=relevant settings object=].
<https://github.com/w3c/webauthn/blob/22fb7d34a554e01139aa458274743d24272f4c52/index.bs#L718>
Which one is correct? Perhaps neither?
Q1. It seems to me that in (A), `this {{PublicKeyCredential}}` actually ought to be `this {{CredentialsContainer}}` I.e., the same as (B)) ? Note that CredMan hangs the create() and get() methods off of `{{CredentialsContainer}}`, /not/ `{{Credential}}`.
Q2. (B) lacks the term `[=interface object=]'s` that (A) has -- is (B) incorrect?
Q3. Any other issues with these assignment statements that y'all expert-types see?
thanks!
=JeffH
Received on Wednesday, 24 May 2017 16:41:26 UTC