- From: Matthew Miller via GitHub <sysbot+gh@w3.org>
- Date: Wed, 28 Aug 2024 16:48:05 +0000
- To: public-webauthn@w3.org
The following commits were just pushed by MasterKale to https://github.com/w3c/webauthn: * Relax PublicKeyCredentialRequestOptions.rpId to DOMString Alternative resolution to issue #2066: https://github.com/w3c/webauthn/issues/2066 Fixes #2066. This is a backwards-compatible change (changing a type bound in input (contravariant) position to be more permissive). This could have risked that WebAuthn calls in new implementations fail if run in clients that were built to the older spec and still enforce the `USVString` type in `get()`, but WebAuthn already defines that an RP ID must be a _valid domain string_: - A [valid domain string][1] must pass the _domain to ASCII_ procedure without error. - [Domain to ASCII][2] invokes the _processing steps in section 4_ of the same document. - Those processing steps begin with looking up each code point in the _IDNA mapping table_ and then returning an error if any code point was mapped to **disallowed**. - The [IDNA mapping table][3] notes that "Each table for a version of the Unicode Standard will always be backward compatible with previous versions of the table: only characters with the Status value **disallowed** may change in Status or Mapping value, [...]". - [Version 15.1.0 of the mapping table][4] maps the range U+D800..U+DFFF to **disallowed**. This is the range of surrogate code units. - Since this range is **disallowed** in version 15.1.0, it must also be **disallowed** in all previous versions. Conclusion: WebAuthn RP IDs are already always scalar value strings, because valid domain strings MUST NOT contain surrogate code units. Therefore this type relaxation is backwards compatible with WebAuthn clients that still enforce `USVString` type in `get()`. [1]: https://url.spec.whatwg.org/#valid-domain-string [2]: https://www.unicode.org/reports/tr46/#ToASCII [3]: https://www.unicode.org/Public/idna/ [4]: https://www.unicode.org/Public/idna/15.1.0/IdnaMappingTable.txt by Emil Lundberg https://github.com/w3c/webauthn/commit/e3603f37a69233f2e9b64bc8a740a75be5796ffb * Use simple exceptions instead by Matthew Miller https://github.com/w3c/webauthn/commit/f15b18b1609d96956016fdefb7457eed944263cb * Add SecurityError reasons for related origins by Matthew Miller https://github.com/w3c/webauthn/commit/b95ca47ea95efd1569cdcf03159e2395e3faddc5 * Remove work from #2095 by Matthew Miller https://github.com/w3c/webauthn/commit/097113a96b137cd445ee59e04b02d153b5708666 * Tweak SecurityError for Related Origins by Matthew Miller https://github.com/w3c/webauthn/commit/3e36885324a4153a5ce578487ea95a6b1f0f3b99 * Incorporate feedback from Emlun by Matthew Miller https://github.com/w3c/webauthn/commit/36dc20c78b7f004884229df5fad06059742b5c06 * Remove superfluous webidl spec reference by Matthew Miller https://github.com/w3c/webauthn/commit/fc5280160aa4f14c9f0f5821598159580ef755a3 * RPs won't get UnknownError authenticator errors by Matthew Miller https://github.com/w3c/webauthn/commit/419e71fd41f9ee41eca87d833b7f95878a908afc * Wrap types in code tags by Matthew Miller https://github.com/w3c/webauthn/commit/2b692faccc91e9559ddace2d4405987f144158e0 * Apply RFC 8264 enforcement only to non-empty strings (#2073) * Disallow empty strings * Update index.bs Co-authored-by: Matthew Miller <matthew@millerti.me> * Apply RFC 8264 enforcement only to non-empty strings --------- Co-authored-by: Matthew Miller <matthew@millerti.me> by Michael B. Jones https://github.com/w3c/webauthn/commit/49325c8983c688c4526815ee008289aa9f276b1f * Add PR template by Tim Cappalli https://github.com/w3c/webauthn/commit/d5f7c33a8e3b9170b0e1b3cf6a644464e9022d52 * Merge pull request #2098 from w3c/issue-2066-usvstring-alt Relax PublicKeyCredentialRequestOptions.rpId to DOMString by Emil Lundberg https://github.com/w3c/webauthn/commit/30061db80f7296f55b9bc22e16cf06d754e2a584 * adds links Co-authored-by: Nina Satragno <nsatragno@gmail.com> by Tim Cappalli https://github.com/w3c/webauthn/commit/902af61dc7aa15229b6aad92f0dd998e43de8f91 * Drop the supplementalPubKeys extension This extension will not have two interoperable implementations within the Level 3 timeframe. by Adam Langley https://github.com/w3c/webauthn/commit/2ec45f8b34638b0c62bb4208507bc4a76cd0ef4f * Move position of `id` to match non-JSON ordering by Matthew Miller https://github.com/w3c/webauthn/commit/a5a12f6a76ee1624340b7b514822e48936836b76 * Move topOrigin definition after crossOrigin by Emil Lundberg https://github.com/w3c/webauthn/commit/998b863a07c03a888365927b8935c11b85b7c53d * non-normative comment by Tim Cappalli https://github.com/w3c/webauthn/commit/4c22cbe8ad4fc5f441c024c3eb0fdb3fcb6d5ee7 * Change type of credProps.authenticatorDisplayName to DOMString As recommended by the Web IDL spec [1]: >Specifications should only use `USVString` for APIs that perform text >processing and need a string of scalar values to operate on. Most APIs that use >strings should instead be using `DOMString`, which does not make any >interpretations of the code units in the string. When in doubt, use `DOMString`. [1]: https://webidl.spec.whatwg.org/#idl-USVString by Emil Lundberg https://github.com/w3c/webauthn/commit/34d8b60de1f7e0e0e29b9f082e51ffa9012411dc * Merge pull request #2047 from w3c/1859-differentiate-errors Help RP's understand actionable exceptions from `create()` and `get()` by Matthew Miller https://github.com/w3c/webauthn/commit/056ed8b71badb1bd47119032621ab85194177da5 * Merge pull request #2110 from w3c/mm/2082-publickeycredentialdescriptorjson-ordering Reorder PublicKeyCredentialDescriptorJSON values to match PublicKeyCredentialDescriptor by Matthew Miller https://github.com/w3c/webauthn/commit/2df9691d9537f4e54d1b83fc9707525e8e34dac0 * Restore (empty) Authenticator Extensions section by Emil Lundberg https://github.com/w3c/webauthn/commit/c6defa8da7ed656784d609b6ac8821123e242091 * Merge pull request #2109 from w3c/rmspk Drop the supplementalPubKeys extension by Emil Lundberg https://github.com/w3c/webauthn/commit/b308a66f89615409202ee15283797429b835a8ac * Change id to DOMString by Matthew Miller https://github.com/w3c/webauthn/commit/769610ebc28afaad6604795722e4e15fc30fb8d1 * Merge pull request #2120 from w3c/mm/update-responsejson-id-type Change `*ResponseJSON.id` to `DOMString` by Matthew Miller https://github.com/w3c/webauthn/commit/9135ead6f32c02e0abb2a2c535c320cef8da1d56 * Remove MDN Removes contact MDN item by Tim Cappalli https://github.com/w3c/webauthn/commit/d261d9ebf8ca57b299ae97de33bfa6c2d185d4f9 * Merge pull request #2114 from w3c/issue-2101-toporigin-order Move topOrigin definition after crossOrigin by Emil Lundberg https://github.com/w3c/webauthn/commit/5f0701d0c35b3080d3b3f9a928b1b4373a98b7e4 * Merge pull request #2108 from w3c/tc-pr-template Add PR template by Tim Cappalli https://github.com/w3c/webauthn/commit/93193a1dcfddf6a6daa4726fafa4f556bff203ca * Merge pull request #2115 from w3c/authenticatorDisplayName-DOMString Change type of credProps.authenticatorDisplayName to DOMString by Emil Lundberg https://github.com/w3c/webauthn/commit/6a795162349c0f7daa6d714bd6bff521dda5ed0d * Merge branch 'main' into 2062-new-error-codes # Conflicts: # index.bs by Matthew Miller https://github.com/w3c/webauthn/commit/d6ada588e1223e3265b2cfce2f383f82b2e41b18 -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 28 August 2024 16:48:06 UTC