W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2021

Re: [webauthn] Cross origin authentication without iframes (#1667)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Tue, 02 Nov 2021 23:48:29 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-958444131-1635896907-sysbot+gh@w3.org>
( this issue is/was ostensibly about using webauthn in cross-origin iframes, perhaps a new issue ought to be opened for the "SPC bit" discussion. )

WRT @emlun and @ve7jtb's [above proposal](https://github.com/w3c/webauthn/issues/1667#issuecomment-957887836), while I'm sympathetic with the goal of finding a clean way to denote webauthn/fido creds as being "enabled"/"authorized" for use in payments contexts, the primary issue I see with this particular approach is that the [RP ID is defined](https://w3c.github.io/webauthn/#rp-id) as a [valid domain string](https://url.spec.whatwg.org/#valid-domain-string), not a URL (or [serialized origin](https://html.spec.whatwg.org/multipage/origin.html#ascii-serialisation-of-an-origin)). Setting them to the latter may be problematic.

GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-958444131 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 2 November 2021 23:48:32 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:44 UTC