- From: Nick Steele via GitHub <sysbot+gh@w3.org>
- Date: Wed, 21 Feb 2024 20:24:01 +0000
- To: public-webauthn@w3.org
nicksteele has just merged abergs's pull request 2018 for https://github.com/w3c/webauthn:
== Adding flexibility in client origin scheme validation to align with real world implementations ==
I suggest adding a little bit of flexibility to the requirements on validating the scheme to be `https`. This is in response to the real world implementation by clients, where clients (browsers, chrome) allow webauthn on `localhost` running on the `http`-scheme. We've been receiving negative feedback for following this part of the spec. I wanted to suggest adding just a little bit of flexibility here, hopefully without opening a can of DNS worms.
I might be sticking my shin out here, since I know the topic of localhost has been brought up in previous calls with varying (dis)-agreement. E.g issue #1204 morphed into a discussion on DNS.
Either I'm misinterpreting the current writing, but to me it's quite clear about not allowing `http` in any case.
Original:
Updated:
<!--
This comment and the below content is programmatically generated.
You may add a comma-separated list of anchors you'd like a
direct link to below (e.g. #idl-serializers, #idl-sequence):
Don't remove this comment or modify anything below this line.
If you don't want a preview generated for this pull request,
just replace the whole of this comment's content by "no preview"
and remove what's below.
-->
***
<a href="https://pr-preview.s3.amazonaws.com/abergs/webauthn/pull/2018.html" title="Last updated on Feb 21, 2024, 5:57 PM UTC (9f8fa53)">Preview</a> | <a href="https://pr-preview.s3.amazonaws.com/w3c/webauthn/2018/73b3562...abergs:9f8fa53.html" title="Last updated on Feb 21, 2024, 5:57 PM UTC (9f8fa53)">Diff</a>
See https://github.com/w3c/webauthn/pull/2018
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 21 February 2024 20:24:03 UTC