Re: [webauthn] Missing specification on rpId validations when calling credentials.get() from a different origin (#1731) from Firstyear via GitHub on 2022-05-19 (public-webauthn@w3.org from May 2022)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Thu, 19 May 2022 01:15:48 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1130916609-1652922947-sysbot+gh@w3.org>

Absolutely, but I've also seen legitimate use cases of this too. It's just that RP's need to make that decision about if they want to open up to that or not. 

And yes, the deanonymisation is always a problem. But that's also true in most IDM's anyway for various types of tokens/credentials/cookies and how subdomains work. Generally as an IDM/RP you need to ensure that no subdomains of that idm are usable else you do open up to this. For example, if you are "example.com" then you bind to idm.example.com, rather than the top level. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1731#issuecomment-1130916609 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 19 May 2022 01:15:50 UTC