Re: [webauthn] Cross origin authentication without iframes (#1667)

( this issue is/was ostensibly about using webauthn in cross-origin iframes, perhaps a new issue ought to be opened for the "SPC bit" discussion. )

WRT @emlun and @ve7jtb's [above proposal](https://github.com/w3c/webauthn/issues/1667#issuecomment-957887836), while I'm sympathetic with the goal of finding a clean way to denote webauthn/fido creds as being "enabled"/"authorized" for use in payments contexts, the primary issue I see with this particular approach is that the [RP ID is defined](https://w3c.github.io/webauthn/#rp-id) as a [valid domain string](https://url.spec.whatwg.org/#valid-domain-string), not a URL (or [serialized origin](https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin)). Setting them to the latter may be problematic.






-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-958444131 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 2 November 2021 23:48:32 UTC