- From: Ken Buchanan via GitHub <sysbot+gh@w3.org>
- Date: Fri, 11 Oct 2024 21:34:50 +0000
- To: public-webauthn@w3.org
That sounds like a reasonable thing that a browser could do, but someone in an offline discussion pointed out to me that this all has to be possible for the underlying platforms to implement as well. In cases where browsers pass requests through to platform WebAuthn APIs, it will be they who are fetching the challenge, not the browsers. This causes some problems, including for the explainer as currently written. For one, it means the request should not be credentialed. It is undesirable for browsers to be passing user session cookies, for example, to passkey providers. Also, while it might be possible to specify a set of arguments that RPs can add for certain special handling of the request (such as additional HTTP headers), passkey providers in general shouldn't be expected to have up-to-date implementations of the Fetch API, which would be implied if we allowed a resource `Request` as a parameter. -- GitHub Notification of comment by kenrb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2152#issuecomment-2408149234 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 11 October 2024 21:34:51 UTC