[webauthn] largeBlob storage extension can be used to bypass 3p storage restrictions (#1518) from Pranjal Jumde via GitHub on 2020-11-16 (public-webauthn@w3.org from November 2020)

From: Pranjal Jumde via GitHub <sysbot+gh@w3.org>
Date: Mon, 16 Nov 2020 04:30:23 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-743460188-1605501022-sysbot+gh@w3.org>

jumde has just created a new issue for https://github.com/w3c/webauthn:

== largeBlob storage extension can be used to bypass 3p storage restrictions ==
3p cookie restrictions in different browsers prevent users to be tracked across sites by 3p sites. largeBlob does not have any restriction in terms of origin/access of blob data in 3p context. This can be used as a way to bypass 3p cookie restriction. 

Suggested Mitigation: Disallow largeBlob extension in 3p context. 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1518 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 16 November 2020 04:30:25 UTC