Re: [webauthn] Consider allowing cross-domain credential use (#1372)

> Putting another hole in the same-origin policy with a new facet-like mechanism isn't necessary for the consumer example; our permissions issue in #1336 aside, the iframe mechanisms are or will be sufficient to avoid redirects, even though they aren't in Level 1.

If that's the case, why would the payments people Dirk spoke of insist on a requirement that at runtime *only* connections direct to the PSP be permitted, and not to the bank?


-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1372#issuecomment-585460591 using your GitHub account

Received on Wednesday, 12 February 2020 22:57:46 UTC