[webauthn] Clarify 127.0.0.1 in spec (#1204) from gmandyam via GitHub on 2019-04-24 (public-webauthn@w3.org from April 2019)

From: gmandyam via GitHub <sysbot+gh@w3.org>
Date: Wed, 24 Apr 2019 20:44:06 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-436898197-1556138645-sysbot+gh@w3.org>

gmandyam has just created a new issue for https://github.com/w3c/webauthn:

== Clarify 127.0.0.1 in spec ==
Webauthn is only exposed in secure contexts.  However current secure context definition has a carveout for 127.0.0.1 due to localhost resolution issues - see https://www.w3.org/TR/secure-contexts/#localhost.  However the Secure Contexts spec says that this carveout is "at risk".

Rather than rely on a potentially shifting definition of secure context, recommendation is to specifically state in the Webauthn specification that 127.0.0.1 is an acceptable domain but localhost is not.  This can be done by adding additional text to the note in https://w3c.github.io/webauthn/#rp-id.  Maybe something like:

"A relying party's webpage may be locally hosted (i.e. instantiated on the same device as the user agent).  In this case, the RP ID is 127.0.0.1."

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1204 using your GitHub account

Received on Wednesday, 24 April 2019 20:44:11 UTC