- From: Pranjal Jumde via GitHub <sysbot+gh@w3.org>
- Date: Thu, 19 Nov 2020 19:04:12 +0000
- To: public-webauthn@w3.org
Thanks @nicksteele @kenrb @emlun for the feedback. From a DM conversation with @ve7jtb - > me: If the blob can be accessed without user-authentication. the site-authors can use it as an alternative to 3p storage. Let's say `foo.com` is embedded as an iframe in `bar.com` and `baz.com` . If 3p storage is blocked by the user `foo.com` , the embedded frame has no way to identify the user. But, if largeBlob is accessible `foo.com` can identify that user visited `bar.com` and `baz.com` . >jbradley: it is only available to the RP via the largeblob extension if the user authenticates. each large blob member is encrypted by the platform with a key that is part of a credential. largeblob is never directly accessible to a RP. It is accessable to the platform but that can't decrypt anything without a authentication, and that requires UP and possibly UV depenfing on the credprotect lavel. -- GitHub Notification of comment by jumde Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1518#issuecomment-730575618 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 19 November 2020 19:04:14 UTC