W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2019

[webauthn] Merged Pull Request: Fix #1285 - Remove icons from PublicKeyCredentialEntity

From: J.C. Jones via GitHub <sysbot+gh@w3.org>
Date: Wed, 30 Oct 2019 19:53:26 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.closed-333892613-1572465204-sysbot+gh@w3.org>
jcjones has just merged jcjones's pull request 1337 for https://github.com/w3c/webauthn:

== Fix #1285 - Remove icons from PublicKeyCredentialEntity ==
As discussed in issue #1285, the image URL fields for PublicKeyCredentialEntity,
while intended for user interface design, are potent correlation mechanisms if
they are downloaded by RPs. RPs would have to take extraordinary care, beyond
reasonable measures, to avoid uses by RPs with mal-intent to cross-correlate
accounts. It is better for User Agents to use existing origin/icon mechanisms for
their UX designs, or to define new such mechanisms as-needed, that are
origin-wide rather than provide the possibility to embed detailed tracking
information into these URLs.


<!--
    This comment and the below content is programatically generated.
    You may add a comma-separated list of anchors you'd like a
    direct link to below (e.g. #idl-serializers, #idl-sequence):

    Don't remove this comment or modify anything below this line.
    If you don't want a preview generated for this pull request,
    just replace the whole of this comment's content by "no preview"
    and remove what's below.
-->
***
<a href="https://pr-preview.s3.amazonaws.com/jcjones/webauthn/pull/1337.html" title="Last updated on Oct 30, 2019, 7:52 PM UTC (dbcf596)">Preview</a> | <a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/1337/03f8406...jcjones:dbcf596.html" title="Last updated on Oct 30, 2019, 7:52 PM UTC (dbcf596)">Diff</a>

See https://github.com/w3c/webauthn/pull/1337
Received on Wednesday, 30 October 2019 19:53:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:08 UTC