W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2019

[webauthn] add indication of embedded, and perphaps cross-origin, operation in `collectedClientData` (#1271)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Fri, 09 Aug 2019 00:44:47 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-478745690-1565311486-sysbot+gh@w3.org>
equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== add indication of embedded, and perphaps cross-origin, operation in `collectedClientData` ==
On the [2019-08-07 webauthn call](https://html.spec.whatwg.org/#child-browsing-context), we discussed whether we ought to capture an indication of whether the browsing context invoking the webauthn API is a [child browsing context](https://html.spec.whatwg.org/#child-browsing-context), i.e., whether it is framed and thus is within a [browsing context container](https://html.spec.whatwg.org/#browsing-context-container) (see [minutes](https://www.w3.org/2019/08/07-webauthn-minutes.html), search for "iframes" down near the bottom). If it is a [child browsing context](https://html.spec.whatwg.org/#child-browsing-context), then whether it is [same-origin with its ancestors](https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors) is also of interest. 

The latter is already detected within the [credential management framework machinery](https://w3c.github.io/webappsec-credential-management/) and passed into the WebAuthn API's (internal-to-Credential-Management) methods, so at a minimum addressing this issue involves determining whether the current browsing context is framed or not and recording that in the [`collectedClientData`](https://www.w3.org/TR/webauthn-2/#dictdef-collectedclientdata).

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1271 using your GitHub account
Received on Friday, 9 August 2019 00:44:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:06 UTC