W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2019

[webauthn] Clarify 127.0.0.1 in spec (#1204)

From: gmandyam via GitHub <sysbot+gh@w3.org>
Date: Wed, 24 Apr 2019 20:44:06 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-436898197-1556138645-sysbot+gh@w3.org>
gmandyam has just created a new issue for https://github.com/w3c/webauthn:

== Clarify 127.0.0.1 in spec ==
Webauthn is only exposed in secure contexts.  However current secure context definition has a carveout for 127.0.0.1 due to localhost resolution issues - see https://www.w3.org/TR/secure-contexts/#localhost.  However the Secure Contexts spec says that this carveout is "at risk".

Rather than rely on a potentially shifting definition of secure context, recommendation is to specifically state in the Webauthn specification that 127.0.0.1 is an acceptable domain but localhost is not.  This can be done by adding additional text to the note in https://w3c.github.io/webauthn/#rp-id.  Maybe something like:

"A relying party's webpage may be locally hosted (i.e. instantiated on the same device as the user agent).  In this case, the RP ID is 127.0.0.1."

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1204 using your GitHub account
Received on Wednesday, 24 April 2019 20:44:11 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:37 UTC