- From: Olivier Potonniée via GitHub <sysbot+gh@w3.org>
- Date: Mon, 22 Jul 2024 17:53:33 +0000
- To: public-webauthn@w3.org
opotonniee has just created a new issue for https://github.com/w3c/webauthn: == Use URI instead of URL for related origins == I don't know if this has already been discussed (I suspect so!), but I couldn't find it in this project's issues: The "Validating Related Origins" section only allows to list URL values in the "origins" field. This is fine for related web applications. Could we extend this feature to also list related mobile applications, by allowing listing mobile specific URIs such as: - `android:apk-key-hash:<sha1_hash-of-apk-signing-cert>` - `ios:<application-identifier-prefix>.<bundle-identifier>` This would ultimately allow to replace the current proprietary well-known files (`assetlinks.json` for Android, `apple-app-site-association` for iOS) by a single and standardized file. Corresponding changes to the specification would be: - valid related origin values are URI instead of URL - if URI scheme is https then the existing description still stands - if URI is another scheme and the client does not recognize it, then it must silently ignore the entry - if the client recognizes the URI scheme, it should validate that the application issuing the WebAuthn request is matching the URI - optionally the spec could define URIs for android and ios apps (see above) Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2103 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 22 July 2024 17:53:34 UTC