Re: [webauthn] Consider allowing cross-domain credential use (#1372)

This seems to me like something the "credential owner" RP should have to actively opt in to, but I'm not sure how. Feature policy isn't really applicable. Maybe you could do something like a CORS preflight request and check for a response header?

>A suggested mitigation is that any cred created with a RP ID not conformant with the creating RP's domain name MUST be a non-discoverable credential.

I don't think you could build a sensible user experience from that. We don't expect users to know about the discoverability of their credentials, so it would be mighty confusing why some of their credentials work and some just don't.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Thursday, 2 July 2020 14:05:25 UTC