- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Wed, 11 Jul 2018 17:27:10 +0000
- To: public-webauthn@w3.org
equalsJeffH has just closed jcjones's pull request 878 for https://github.com/w3c/webauthn:
== Fix #593 - Refer to RFC 8266 for RP-controlled UI strings ==
The RP provides 'PublicKeyCredentialUserEntity/displayName' and 'PublicKeyCredentialEntity/name',
both of which are intended for display by User Agent. As DOMString objects, these could be
manipulated by a malicious RP to try and confuse the user about what is being displayed, so
User Agents should be careful in how they display these fields.
This PR points to RFC 8266 for its guidance on showing those fields. This is guidance that
browser vendors already follow for other specifications, so it's nothing new -- it merely
codifies what should be.
fixes #593
<!--
This comment and the below content is programatically generated.
You may add a comma-separated list of anchors you'd like a
direct link to below (e.g. #idl-serializers, #idl-sequence):
Don't remove this comment or modify anything below this line.
If you don't want a preview generated for this pull request,
just replace the whole of this comment's content by "no preview"
and remove what's below.
-->
***
<a href="https://pr-preview.s3.amazonaws.com/jcjones/webauthn/pull/878.html" title="Last updated on May 2, 2018, 5:41 PM GMT (8783a41)">Preview</a> | <a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/878/b9af923...jcjones:8783a41.html" title="Last updated on May 2, 2018, 5:41 PM GMT (8783a41)">Diff</a>
See https://github.com/w3c/webauthn/pull/878
Received on Wednesday, 11 July 2018 17:27:13 UTC