[webauthn] Clarify how the given origin in the ClientDataJSON matches to the expected one (#1889) from Ki-Eun Shin via GitHub on 2023-05-08 (public-webauthn@w3.org from May 2023)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Mon, 08 May 2023 06:16:07 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1699604085-1683526565-sysbot+gh@w3.org>

Kieun has just created a new issue for https://github.com/w3c/webauthn:

== Clarify how the given origin in the ClientDataJSON matches to the expected one ==
## Proposed Change

In the spec, there are multiple occurrence around  origin matching.
For example, in section [7.1. Registering a New Credential](https://w3c.github.io/webauthn/#sctn-registering-a-new-credential), there is a following step.

> 9. Verify that the value of C.[origin](https://w3c.github.io/webauthn/#dom-collectedclientdata-origin) matches the [Relying Party](https://w3c.github.io/webauthn/#relying-party)'s [origin](https://html.spec.whatwg.org/multipage/origin.html#concept-origin).

Some of implementations in OSS just maintain list of acceptable origins and simply compares the given origin with the list by simply text equality.

It would be better to explain or add text about the matching logic in more detail.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1889 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 8 May 2023 06:16:09 UTC