[webauthn] new commits pushed by emlun from Emil Lundberg via GitHub on 2024-07-31 (public-webauthn@w3.org from July 2024)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 31 Jul 2024 18:29:52 +0000
To: public-webauthn@w3.org
Message-ID: <push-30061db80f7296f55b9bc22e16cf06d754e2a584-1722450590-sysbot+gh@w3.org>

The following commits were just pushed by emlun to https://github.com/w3c/webauthn:

* Relax PublicKeyCredentialRequestOptions.rpId to DOMString

Alternative resolution to issue #2066: https://github.com/w3c/webauthn/issues/2066

Fixes #2066.

This is a backwards-compatible change (changing a type bound in
input (contravariant) position to be more permissive). This could have risked
that WebAuthn calls in new implementations fail if run in clients that were
built to the older spec and still enforce the `USVString` type in `get()`, but
WebAuthn already defines that an RP ID must be a _valid domain string_:

- A [valid domain string][1] must pass the _domain to ASCII_ procedure without
  error.
- [Domain to ASCII][2] invokes the _processing steps in section 4_ of the same
  document.
- Those processing steps begin with looking up each code point in the _IDNA
  mapping table_ and then returning an error if any code point was mapped
  to **disallowed**.
- The [IDNA mapping table][3] notes that "Each table for a version of the
  Unicode Standard will always be backward compatible with previous versions of
  the table: only characters with the Status value **disallowed** may change in
  Status or Mapping value, [...]".
- [Version 15.1.0 of the mapping table][4] maps the range U+D800..U+DFFF
  to **disallowed**. This is the range of surrogate code units.
- Since this range is **disallowed** in version 15.1.0, it must also
  be **disallowed** in all previous versions.

Conclusion: WebAuthn RP IDs are already always scalar value strings, because
valid domain strings MUST NOT contain surrogate code units. Therefore this type
relaxation is backwards compatible with WebAuthn clients that still enforce
`USVString` type in `get()`.

[1]: https://url.spec.whatwg.org/#valid-domain-string
[2]: https://www.unicode.org/reports/tr46/#ToASCII
[3]: https://www.unicode.org/Public/idna/
[4]: https://www.unicode.org/Public/idna/15.1.0/IdnaMappingTable.txt
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/e3603f37a69233f2e9b64bc8a740a75be5796ffb

* Merge pull request #2098 from w3c/issue-2066-usvstring-alt

Relax PublicKeyCredentialRequestOptions.rpId to DOMString
  by Emil Lundberg
https://github.com/w3c/webauthn/commit/30061db80f7296f55b9bc22e16cf06d754e2a584



-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 31 July 2024 18:29:53 UTC