Re: [webauthn] Missing specification on rpId validations when calling credentials.get() from a different origin (#1731) from Emil Lundberg via GitHub on 2022-05-19 (public-webauthn@w3.org from May 2022)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 19 May 2022 01:11:10 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1130904456-1652922668-sysbot+gh@w3.org>

Thanks, that's a good point. The concern is that the [scope](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#scope) of a credential extends to parent domains, which means script on for example `usercontent.example.org` could exercise credentials scoped to `example.org` - but indeed the [`origin`](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-collectedclientdata-origin) of such an assertion would give away that it was generated on the subdomain, if the RP checks for strict equality. But this could also open up for some forms of de-anonymization attacks regardless of whether or not the RP allows subdomain origins.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1731#issuecomment-1130904456 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 19 May 2022 01:11:11 UTC