[webauthn] CollectedClientData.crossOrigin not referenced in RP (#2113) from Emil Lundberg via GitHub on 2024-08-07 (public-webauthn@w3.org from August 2024)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 07 Aug 2024 14:03:26 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-2453574492-1723039404-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== CollectedClientData.crossOrigin not referenced in RP ==
Both [§7. WebAuthn Relying Party Operations](https://w3c.github.io/webauthn/#sctn-rp-operations) instructs to validate `CollectedClientData.origin` and `.topOrigin` (if present), but do not reference [`crossOrigin`](https://w3c.github.io/webauthn/#dom-collectedclientdata-crossorigin) at all.

## Proposed Change

Add a step to verify [`crossOrigin`](https://w3c.github.io/webauthn/#dom-collectedclientdata-crossorigin) in the RP operations. For example:

>- If _C_.[`crossOrigin`](https://w3c.github.io/webauthn/#dom-collectedclientdata-crossorigin) is present, verify that the [Relying Party](https://w3c.github.io/webauthn/#relying-party) expects that this credential would have been created within an iframe that is not [same-origin with its ancestors](https://w3c.github.io/webappsec-credential-management/#same-origin-with-its-ancestors).

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2113 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 7 August 2024 14:03:27 UTC