Re: [webauthn] Cross origin authentication without iframes (accommodating SPC in WebAuthn) (#1667) from Stephen McGruer via GitHub on 2022-03-07 (public-webauthn@w3.org from March 2022)

From: Stephen McGruer via GitHub <sysbot+gh@w3.org>
Date: Mon, 07 Mar 2022 18:36:36 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1061004209-1646678194-sysbot+gh@w3.org>

> Not a problem if there is always an allow list.

The SPC spec currently requires an `allowList` ([we called it credentialIds](https://w3c.github.io/secure-payment-confirmation/#dom-securepaymentconfirmationrequest-credentialids)), so the short term seems ok.

Thinking long term - my gut feel is that 'we' (everyone) wouldn't want discoverable credentials to work cross-origin as it feels even more dicey security/privacy wise; but I may be wrong.

-- 
GitHub Notification of comment by stephenmcgruer
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-1061004209 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 7 March 2022 18:36:37 UTC