- From: Andrey Paramonov via GitHub <sysbot+gh@w3.org>
- Date: Wed, 07 Jun 2023 19:53:01 +0000
- To: public-webauthn@w3.org
I agree with @Kieun, the spec is too vague about origin matching. It references web origin [RFC6454](https://www.rfc-editor.org/rfc/rfc6454), but it doesn't mandate the origin to be a web origin. This allows, for example, Android native API to send `android:...` origin instead. The spec should say that both client and RP origins must be web origins, if that's the case, and the origin matching should be done the same way RP ID matching is done. If it is not the case, and the origin can be just a string, then explicitly specify matching rules for such strings, i.e. string equality, binary equality, etc. If there are some constraints for the origin values, specify them as well. Back to my example. Is `android:...` a valid value for the origin? If so, how do I match it? What if I get `xyz:...` origin from the client, how should I match that? If the phishing-resistance promise of WebAuthn is based on the origin (and RP ID), we should be very specific about origin matching. -- GitHub Notification of comment by ndpar Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1889#issuecomment-1581418784 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 7 June 2023 19:53:03 UTC