[webauthn] Pull Request: Fix #593 - Refer to RFC 8266 for RP-controlled UI strings from J.C. Jones via GitHub on 2018-04-23 (public-webauthn@w3.org from April 2018)

From: J.C. Jones via GitHub <sysbot+gh@w3.org>
Date: Mon, 23 Apr 2018 14:26:35 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.opened-183452367-1524493594-sysbot+gh@w3.org>

jcjones has just submitted a new pull request for https://github.com/w3c/webauthn:

== Fix #593 - Refer to RFC 8266 for RP-controlled UI strings ==
The RP provides 'PublicKeyCredentialUserEntity/displayName' and 'PublicKeyCredentialEntity/name',
both of which are intended for display by User Agent. As DOMString objects, these could be
manipulated by a malicious RP to try and confuse the user about what is being displayed, so
User Agents should be careful in how they display these fields.

This PR points to RFC 8266 for its guidance on showing those fields. This is guidance that
browser vendors already follow for other specifications, so it's nothing new -- it merely
codifies what should be.

See https://github.com/w3c/webauthn/pull/878

Received on Monday, 23 April 2018 14:26:50 UTC