- From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
- Date: Thu, 26 Aug 2021 04:05:05 +0000
- To: public-webauthn@w3.org
@cyberphone , Although your comments are related, I want this issue to be focused on implications of opening up the webauthn API in cross-origin without iframe context to existing RPs who have nothing to do with payment scenarios. I would prefer not discussing merits of SPC with other models on this issue. For example, if I am an RP who does not care about payments at all, how do I prevent any random website from starting a webauthn operation on my behalf. It is more than just a nuisance for such RP. It is also about webauthn brand. Today an RP can say that no other website can invoke such an operation. And I would like that property to remain if we allow such proposal. If that conversation changes to we don't know who can invoke us and RP has no control, that is a problem. Even if server rejects such a response, it hurts the webauthn brand IMO. -- GitHub Notification of comment by akshayku Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-906076452 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 26 August 2021 04:05:07 UTC