- From: gmandyam via GitHub <sysbot+gh@w3.org>
- Date: Fri, 03 May 2019 21:48:05 +0000
- To: public-webauthn@w3.org
>> all domain names that resolve to 127.0.0.1 should have the same RP ID >That would mean that processing Webauthn requests depends on doing DNS resolution. And the DNS resolution at what time? At the time of the request? What if a network attacker changes the result after page load? At the time of loading? But loading doesn't have to involve DNS at all. I fear that is unworkable. When I used the term "resolve", I did not mean DNS resolution. In fact, I hope that browser vendors don't try to resolve localhost via DNS and are able to leverage platform handling of loopback addresses (e.g. hosts files). If they have to resolve via DNS, I hope the requests get handled as per the guidance in https://tools.ietf.org/html/draft-ietf-dnsop-let-localhost-be-localhost-02. @agl - does Chrome try to resolve localhost using DNS? What RP ID does Chrome currently assign to webpages hosted at 127.0.0.1? -- GitHub Notification of comment by gmandyam Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1204#issuecomment-489250180 using your GitHub account
Received on Friday, 3 May 2019 21:48:06 UTC