- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Mon, 22 Jul 2024 15:24:37 +0000
- To: public-webauthn@w3.org
zacknewman has just created a new issue for https://github.com/w3c/webauthn: == Add `topOrigin` to the limited verification algorithm == I rely on the [limited verification algorithm](https://www.w3.org/TR/webauthn-3/#clientdatajson-verification) for my WebAuthn RP library, but I had to amend it to validate [`topOrigin`](https://www.w3.org/TR/webauthn-3/#dom-collectedclientdata-toporigin). Is there no way this can be added to the spec? I realize backward compatibility is likely the reason it was not added, but could there be a step mentioning optional steps? Or perhaps a section for an alternative "limited verification algorithm" that _doesn't_ guarantee backward compatibility? In my implementation, I added sub-step 6 to step 1 and sub-step 2 (and two sub-steps of it) to step 11: > 1\. The inputs to the algorithm are: > 1\. A bytestring, _clientDataJSON_, that contains `clientDataJSON`— the serialized `CollectedClientData` that is to be verified. > ⋮ > 6\. A string, _topOrigin_, that contains the expected `topOrigin` that issued the request to the user agent if _crossOrigin_ is true and if available. > ⋮ > 11\. If _crossOrigin_ is true: > 1. Append 0x74727565 (`true`) to _expected_. > 2. If _topOrigin_ exists: > 1. Append 0x2c22746f704f726967696e223a (`,"topOrigin":`) to _expected_. > 2. Append CCDToString(`topOrigin`) to _expected_. >12\. Otherwise, i.e. _crossOrigin_ is false: Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2102 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 22 July 2024 15:24:38 UTC