- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Wed, 18 Jul 2018 20:24:54 +0000
- To: public-webauthn@w3.org
@mikewest - are arbitrary cross-origin mashups presently secure? If we were to "just accept `sameOriginWithAncestors == false`", would we not be handing webauthn Relying Parties a footgun? I may be behind the times and need to be educated.... i.e., IIUC, if we accept `sameOriginWithAncestors == false`, we ought to do the things listed here: https://docs.google.com/presentation/d/1sK9hhI0y25iioyLGMKwdhtpe-sVRV7Ln4pMHR2JXApw/edit#slide=id.g3ad57c9b5b_0_13 ...Yes? Is IntersectionObserver2 still just a "proposal"? Do we know what the exact list of things we need to add to the webauthn spec in order to not hand RPs a footgun? thanks! -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1001#issuecomment-406062643 using your GitHub account
Received on Wednesday, 18 July 2018 20:24:56 UTC