W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2018

[webauthn] Pull Request: Fix #593 - Refer to RFC 8266 for RP-controlled UI strings

From: J.C. Jones via GitHub <sysbot+gh@w3.org>
Date: Mon, 23 Apr 2018 14:26:35 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.opened-183452367-1524493594-sysbot+gh@w3.org>
jcjones has just submitted a new pull request for https://github.com/w3c/webauthn:

== Fix #593 - Refer to RFC 8266 for RP-controlled UI strings ==
The RP provides 'PublicKeyCredentialUserEntity/displayName' and 'PublicKeyCredentialEntity/name',
both of which are intended for display by User Agent. As DOMString objects, these could be
manipulated by a malicious RP to try and confuse the user about what is being displayed, so
User Agents should be careful in how they display these fields.

This PR points to RFC 8266 for its guidance on showing those fields. This is guidance that
browser vendors already follow for other specifications, so it's nothing new -- it merely
codifies what should be.

See https://github.com/w3c/webauthn/pull/878
Received on Monday, 23 April 2018 14:26:50 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC