[w3c/webauthn] e3603f: Relax PublicKeyCredentialRequestOptions.rpId to DO... from Emil Lundberg on 2024-07-31 (public-webauthn@w3.org from July 2024)

From: Emil Lundberg <noreply@github.com>
Date: Wed, 31 Jul 2024 11:30:11 -0700
To: public-webauthn@w3.org
Message-ID: <w3c/webauthn/push/refs/heads/main/49325c-30061d@github.com>

  Branch: refs/heads/main
  Home:   https://github.com/w3c/webauthn
  Commit: e3603f37a69233f2e9b64bc8a740a75be5796ffb
      https://github.com/w3c/webauthn/commit/e3603f37a69233f2e9b64bc8a740a75be5796ffb
  Author: Emil Lundberg <emil@yubico.com>
  Date:   2024-07-17 (Wed, 17 Jul 2024)

  Changed paths:
    M index.bs

  Log Message:
  -----------
  Relax PublicKeyCredentialRequestOptions.rpId to DOMString

Alternative resolution to issue #2066: https://github.com/w3c/webauthn/issues/2066

Fixes #2066.

This is a backwards-compatible change (changing a type bound in
input (contravariant) position to be more permissive). This could have risked
that WebAuthn calls in new implementations fail if run in clients that were
built to the older spec and still enforce the `USVString` type in `get()`, but
WebAuthn already defines that an RP ID must be a _valid domain string_:

- A [valid domain string][1] must pass the _domain to ASCII_ procedure without
  error.
- [Domain to ASCII][2] invokes the _processing steps in section 4_ of the same
  document.
- Those processing steps begin with looking up each code point in the _IDNA
  mapping table_ and then returning an error if any code point was mapped
  to **disallowed**.
- The [IDNA mapping table][3] notes that "Each table for a version of the
  Unicode Standard will always be backward compatible with previous versions of
  the table: only characters with the Status value **disallowed** may change in
  Status or Mapping value, [...]".
- [Version 15.1.0 of the mapping table][4] maps the range U+D800..U+DFFF
  to **disallowed**. This is the range of surrogate code units.
- Since this range is **disallowed** in version 15.1.0, it must also
  be **disallowed** in all previous versions.

Conclusion: WebAuthn RP IDs are already always scalar value strings, because
valid domain strings MUST NOT contain surrogate code units. Therefore this type
relaxation is backwards compatible with WebAuthn clients that still enforce
`USVString` type in `get()`.

[1]: https://url.spec.whatwg.org/#valid-domain-string
[2]: https://www.unicode.org/reports/tr46/#ToASCII
[3]: https://www.unicode.org/Public/idna/
[4]: https://www.unicode.org/Public/idna/15.1.0/IdnaMappingTable.txt


  Commit: 30061db80f7296f55b9bc22e16cf06d754e2a584
      https://github.com/w3c/webauthn/commit/30061db80f7296f55b9bc22e16cf06d754e2a584
  Author: Emil Lundberg <emil@yubico.com>
  Date:   2024-07-31 (Wed, 31 Jul 2024)

  Changed paths:
    M index.bs

  Log Message:
  -----------
  Merge pull request #2098 from w3c/issue-2066-usvstring-alt

Relax PublicKeyCredentialRequestOptions.rpId to DOMString


Compare: https://github.com/w3c/webauthn/compare/49325c8983c6...30061db80f72

To unsubscribe from these emails, change your notification settings at https://github.com/w3c/webauthn/settings/notifications

Received on Wednesday, 31 July 2024 18:30:16 UTC