- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 03 Feb 2021 20:47:45 +0000
- To: public-webauthn@w3.org
I think that some RP will want to be assured that the assertion comes from a browser enforcing "no user recourse". That seems to be the main ask from NIST around HSTS, we already block JS that is loaded from an insecure origin. I think including hashes of all the certs from origins contributing to the request would be more useful in preventing attacks. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1554#issuecomment-772812311 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 3 February 2021 20:47:51 UTC