[webauthn] Pull Request: Adding flexibility in client origin scheme validation to align with real world implementations from Anders Åberg via GitHub on 2024-01-29 (public-webauthn@w3.org from January 2024)

From: Anders Åberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 29 Jan 2024 09:40:45 +0000
To: public-webauthn@w3.org
Message-ID: <pull_request.opened-1699575314-1706521242-sysbot+gh@w3.org>

abergs has just submitted a new pull request for https://github.com/w3c/webauthn:

== Adding flexibility in client origin scheme validation to align with real world implementations ==
I suggest adding a little bit of flexibility to the requirements on validating the scheme to be `https`. This is in response to the real world implementation by clients, where clients (browsers, chrome) allow webauthn on `localhost` running on the `http`-scheme. We've been receiving negative feedback for following this part of the spec. I wanted to suggest adding just a little bit of flexibility here, hopefully without opening a can of DNS worms. 


I might be sticking my shin out here, since I know the topic of localhost has been brought up in previous calls with varying (dis)-agreement. E.g issue #1204 morphed into a discussion on DNS. 

Either I'm misinterpreting the current writing, but to me it's quite clear about not allowing `http` in any case. 
![CleanShot 2024-01-29 at 10 31 55](https://github.com/w3c/webauthn/assets/357283/8446eaa4-2303-4030-a7cf-306b74387c48)


See https://github.com/w3c/webauthn/pull/2018


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 29 January 2024 09:40:47 UTC