- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Fri, 19 Jul 2024 20:36:11 +0000
- To: public-webauthn@w3.org
zacknewman has just created a new issue for https://github.com/w3c/webauthn: == CollectedClientData fields are not ordered correctly and crossOrigin should be required == The [WebIDL for `CollectedClientData`](https://www.w3.org/TR/webauthn-3/#dictdef-collectedclientdata) currently lists `topOrigin` _before_ `crossOrigin`; however [serialization](https://www.w3.org/TR/webauthn-3/#dictdef-collectedclientdata) is defined such that `crossOrigin` is written first. One could argue that the order of the IDL does not matter; however the note above it makes a point to call out the order: >Note: The [CollectedClientData](https://www.w3.org/TR/webauthn-3/#dictdef-collectedclientdata) may be extended in the future. Therefore it’s critical when parsing to be tolerant of unknown keys and of any reordering of the keys. See also [§ 5.8.1.2 Limited Verification Algorithm](https://www.w3.org/TR/webauthn-3/#clientdatajson-verification). Regardless, serialization and [the limited verification algorithm](https://www.w3.org/TR/webauthn-3/#clientdatajson-verification) require `crossOrigin` to exist; so shouldn't the IDL be updated to reflect that? I'm sure if this were updated bugs, like [this Firefox one](https://bugzilla.mozilla.org/show_bug.cgi?id=1888851) would not have happened. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2101 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 19 July 2024 20:36:11 UTC