W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2019

[webauthn] Merged Pull Request: add indication of cross-origin operation in `collectedClientData`

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Nov 2019 20:09:06 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.closed-307133211-1573070944-sysbot+gh@w3.org>
equalsJeffH has just merged equalsJeffH's pull request 1276 for https://github.com/w3c/webauthn:

== add indication of cross-origin operation in `collectedClientData` ==
fixes #1271 #911

This webauthn PR is associated with w3c/webappsec-credential-management#138. It eliminates the `sameOriginWithAncestors` check from both `[[Create]]()` and `[[DiscoverFrom...]]()` and instead adds the inverse of it's value to `collectedClientData` in the form of the `crossOrigin` boolean.

Cross-origin usage is now gated upon feature policy, per w3c/webappsec-credential-management#138.  Credman+WebAuthn default behavior remains the same as before:  allowed in same-origin contexts, disallowed in cross-origin contexts. Cross-origin usage can now be attained by the RP webdev/author by explicitly setting the `publickey-credentials` feature policy.

see also: https://github.com/w3c/webappsec-credential-management/pull/138#issuecomment-547247234


<!--
    This comment and the below content is programatically generated.
    You may add a comma-separated list of anchors you'd like a
    direct link to below (e.g. #idl-serializers, #idl-sequence):

    Don't remove this comment or modify anything below this line.
    If you don't want a preview generated for this pull request,
    just replace the whole of this comment's content by "no preview"
    and remove what's below.
-->
***
<a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/pull/1276.html" title="Last updated on Oct 30, 2019, 6:44 PM UTC (de32639)">Preview</a> | <a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/1276/5dbea68...de32639.html" title="Last updated on Oct 30, 2019, 6:44 PM UTC (de32639)">Diff</a>

See https://github.com/w3c/webauthn/pull/1276
Received on Wednesday, 6 November 2019 20:09:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:08 UTC