W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2019

Re: [webauthn] Prohibit Create Credential from cross-origin iframes (#1336)

From: J.C. Jones via GitHub <sysbot+gh@w3.org>
Date: Fri, 01 Nov 2019 18:14:33 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-548895117-1572632072-sysbot+gh@w3.org>
> @jcjones wrote:
> 
> > I would like to propose that we specify WebAuthn's Create Credential operation be only callable from the top-level context.
> 
> Do you actually mean to say "...only callable from browsing contexts that are top-level or [same-origin with their ancestors](https://www.w3.org/TR/credential-management-1/#same-origin-with-its-ancestors)" ?

Oops, Yes, I apologize for my lack of rigor there -- I'll edit to be clearer.

-- 
GitHub Notification of comment by jcjones
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1336#issuecomment-548895117 using your GitHub account
Received on Friday, 1 November 2019 18:14:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:08 UTC