Re: [webauthn] Clarify how the given origin in the ClientDataJSON matches to the expected one (#1889) from Tim Cappalli via GitHub on 2023-06-07 (public-webauthn@w3.org from June 2023)

From: Tim Cappalli via GitHub <sysbot+gh@w3.org>
Date: Wed, 07 Jun 2023 20:11:47 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1581443823-1686168705-sysbot+gh@w3.org>

> Back to my example. Is `android:...` a valid value for the origin? If so, how do I match it? What if I get `xyz:...` origin from the client, how should I match that?

Yes, this is a valid origin for an app on Android.

> If the phishing-resistance promise of WebAuthn is based on the origin (and RP ID), we should be very specific about origin matching.

RP's need to ensure that the origin included in clientData is an expected origin during verification.

-- 
GitHub Notification of comment by timcappalli
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1889#issuecomment-1581443823 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 7 June 2023 20:11:49 UTC