W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2020

Re: [webauthn] Consider allowing cross-domain credential use (#1372)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 02 Jul 2020 14:03:59 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-653025271-1593698637-sysbot+gh@w3.org>
This seems to me like something the "credential owner" RP should have to actively opt in to, but I'm not sure how. Feature policy isn't really applicable. Maybe you could do something like a CORS preflight request and check for a response header?

>A suggested mitigation is that any cred created with a RP ID not conformant with the creating RP's domain name MUST be a non-discoverable credential.

I don't think you could build a sensible user experience from that. We don't expect users to know about the discoverability of their credentials, so it would be mighty confusing why some of their credentials work and some just don't.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1372#issuecomment-653025271 using your GitHub account
Received on Thursday, 2 July 2020 14:05:25 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 July 2020 14:05:26 UTC