[webauthn] add indication of embedded, and perphaps cross-origin, operation in `collectedClientData` (#1271)

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== add indication of embedded, and perphaps cross-origin, operation in `collectedClientData` ==
On the [2019-08-07 webauthn call](https://html.spec.whatwg.org/#child-browsing-context), we discussed whether we ought to capture an indication of whether the browsing context invoking the webauthn API is a [child browsing context](https://html.spec.whatwg.org/#child-browsing-context), i.e., whether it is framed and thus is within a [browsing context container](https://html.spec.whatwg.org/#browsing-context-container) (see [minutes](https://www.w3.org/2019/08/07-webauthn-minutes.html), search for "iframes" down near the bottom). If it is a [child browsing context](https://html.spec.whatwg.org/#child-browsing-context), then whether it is [same-origin with its ancestors](https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors) is also of interest. 

The latter is already detected within the [credential management framework machinery](https://w3c.github.io/webappsec-credential-management/) and passed into the WebAuthn API's (internal-to-Credential-Management) methods, so at a minimum addressing this issue involves determining whether the current browsing context is framed or not and recording that in the [`collectedClientData`](https://www.w3.org/TR/webauthn-2/#dictdef-collectedclientdata).






Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1271 using your GitHub account

Received on Friday, 9 August 2019 00:44:49 UTC