W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2019

Re: [webauthn] explicitly mention running over TLS in WebAuthn API intro (#1201)

From: gmandyam via GitHub <sysbot+gh@w3.org>
Date: Thu, 18 Apr 2019 20:48:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-484684656-1555620501-sysbot+gh@w3.org>

Would have to see the text proposal, but bear in mind that secure context does not necessarily mean the webpage was retrieved via a TLS connection.  For instance, https://www.w3.org/TR/secure-contexts/#localhost has a carve-out that in my experience browser vendors have honored with respect to other API's requiring secure contexts (e.g. Encrypted Media Extensions).

Rather than try to paraphrase what a secure context actually means in the Webauthn intro, I would consider adding a reference to how the UA should determine if a webpage corresponds to a secure context: https://www.w3.org/TR/secure-contexts/#algorithms 

GitHub Notification of comment by gmandyam
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1201#issuecomment-484684656 using your GitHub account
Received on Thursday, 18 April 2019 20:48:24 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:36 UTC