- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Fri, 10 May 2019 22:37:23 +0000
- To: public-webauthn@w3.org
> Let's go with this example. Assume that there is a web page hosted at 127.0.0.1 and it serves up a self-signed cert with foo.google.com. Ok: * DNS for foo.google.com resolves to 127.0.0.1 * Server on 127.0.0.1:443 serves self-signed certificate for foo.google.com * User enters `https://foo.google.com`, browser loads from local server. * User presumably overrides the certificate error. Then yes, that Javascript can exercise the RP ID `google.com`. But your proposal was: > All domain names that resolve to 127.0.0.1 should have the same RP ID But here, `foo.google.com` is a domain name that resolves to 127.0.0.1, but it doesn't have the same RP ID as all others domains that resolve to 127.0.0.1. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1204#issuecomment-491449121 using your GitHub account
Received on Friday, 10 May 2019 22:37:24 UTC