W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2019

[webauthn] Clarify in spec (#1204)

From: gmandyam via GitHub <sysbot+gh@w3.org>
Date: Wed, 24 Apr 2019 20:44:06 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-436898197-1556138645-sysbot+gh@w3.org>
gmandyam has just created a new issue for https://github.com/w3c/webauthn:

== Clarify in spec ==
Webauthn is only exposed in secure contexts.  However current secure context definition has a carveout for due to localhost resolution issues - see https://www.w3.org/TR/secure-contexts/#localhost.  However the Secure Contexts spec says that this carveout is "at risk".

Rather than rely on a potentially shifting definition of secure context, recommendation is to specifically state in the Webauthn specification that is an acceptable domain but localhost is not.  This can be done by adding additional text to the note in https://w3c.github.io/webauthn/#rp-id.  Maybe something like:

"A relying party's webpage may be locally hosted (i.e. instantiated on the same device as the user agent).  In this case, the RP ID is"

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1204 using your GitHub account
Received on Wednesday, 24 April 2019 20:44:11 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:37 UTC