- From: Ken Buchanan via GitHub <sysbot+gh@w3.org>
- Date: Wed, 30 Oct 2024 21:46:21 +0000
- To: public-webauthn@w3.org
I've somewhat expanded and modified the explainer, fleshing out some of the concerns I mentioned above. Unfortunately for this to be viable I think we have to make it considerably _more_ restrictive for RPs, rather than less, for reasons that are now in [the security section](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-challengeURL#security). I understand this might make it more difficult for RPs to deploy. The proposed constraints are: * The user agent must reject any URL that does not use the `https:` scheme. * The user agent must reject any URL that is not same-site with the RP (i.e. under the same registrable domain). * The user agent must ensure that the request conforms to page's Content Security Policy, such as the default-src directive. * The fetching application must send the challengeURL request uncredentialed. * The fetching application must not follow redirects. * The fetching application must reject a response if there is any error in TLS certificate validation. * The fetching application must reject a response that does not have the specified (non-standard) Content-type header. RPs can use a query string in the URL to convey information to the challengeURL endpoint. -- GitHub Notification of comment by kenrb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2152#issuecomment-2448477238 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 30 October 2024 21:46:22 UTC