Re: [webauthn] largeBlob storage extension can be used to bypass 3p storage restrictions (#1518) from Emil Lundberg via GitHub on 2020-11-17 (public-webauthn@w3.org from November 2020)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 17 Nov 2020 14:15:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-728956004-1605622521-sysbot+gh@w3.org>

Sorry, I'm not sure how to parse that syntax. Do you mean this...

>(iframes of `foo.com` [...] using the `foo.com` blob) can track users across sites

or this?

>(iframes of `foo.com` embedded on (different sites using the `foo.com` blob)) can track users across sites

If the former, then yes - if the iframe can successfully authenticate a user with a WebAuthn credential (which requires an active user gesture) then the iframe can of course identify the user. But I fail to see what that has to do with the blob.

If the latter, it's not supposed to be possible for different sites to exercise each other's credentials in a compliant browser.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1518#issuecomment-728956004 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 17 November 2020 14:15:24 UTC