Re: [webauthn] restrict WebAuthentication API to only top level browsing context from Angelo Liao via GitHub on 2017-09-07 (public-webauthn@w3.org from September 2017)

From: Angelo Liao via GitHub <sysbot+gh@w3.org>
Date: Thu, 07 Sep 2017 23:21:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-327953946-1504826471-sysbot+gh@w3.org>

@nadalin The CredMan issue discussion has resumed. AFAIK the reason why top level browsing context constraint was added to credman is because CredMan api can exercise silent auth. Considering we don't currently allow silent auth, their attitude is the constraint be removed for webauthn. At least in the Edge implementation, we show the origin of the site in the prompt. By showing the origin, we are giving extra security protection toward the user. I sent @mikewest and @battre a mail containing the UI of the prompt. 

We will likely reach the solution that **webauthn will allow all browsing context and add text that suggests UAs should emphasize the origin of the script in prompt**. Once we reach the solution, we will add text back to the webauthn spec, describing the relaxed constraint and the suggestions to the UAs. 


-- 
GitHub Notification of comment by AngeloKai
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/374#issuecomment-327953946 using your GitHub account

Received on Thursday, 7 September 2017 23:21:21 UTC