This seems to me like something the "credential owner" RP should have to actively opt in to, but I'm not sure how. Feature policy isn't really applicable. Maybe you could do something like a CORS preflight request and check for a response header? >A suggested mitigation is that any cred created with a RP ID not conformant with the creating RP's domain name MUST be a non-discoverable credential. I don't think you could build a sensible user experience from that. We don't expect users to know about the discoverability of their credentials, so it would be mighty confusing why some of their credentials work and some just don't. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1372#issuecomment-653025271 using your GitHub accountReceived on Thursday, 2 July 2020 14:05:25 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:41 UTC