W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2018

Re: [webauthn] Revise same-origin as ancestor requirements

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 18 Jul 2018 20:24:54 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-406062643-1531945493-sysbot+gh@w3.org>
@mikewest - are arbitrary cross-origin mashups presently secure?  If we were to "just accept `sameOriginWithAncestors == false`", would we not be handing webauthn Relying Parties a footgun?   I may be behind the times and need to be educated....

i.e., IIUC, if we accept `sameOriginWithAncestors == false`, we ought to do the things listed here:

https://docs.google.com/presentation/d/1sK9hhI0y25iioyLGMKwdhtpe-sVRV7Ln4pMHR2JXApw/edit#slide=id.g3ad57c9b5b_0_13

...Yes?

Is IntersectionObserver2 still just a "proposal"?

Do we know what the exact list of things we need to add to the webauthn spec in order to not hand RPs a footgun? 

thanks!


-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1001#issuecomment-406062643 using your GitHub account
Received on Wednesday, 18 July 2018 20:24:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:52 UTC