- From: Joshua Zhao via GitHub <noreply@w3.org>
- Date: Tue, 19 Aug 2025 04:52:51 +0000
- To: public-webauthn@w3.org
> > This is not a spec concern as the spec does not dictate that clients filter extensions. > > Each client and user agent has their own security and privacy policies. I recommend you open issues with them. > > It _could_ be a spec concern, if the spec were to say that a client MUST NOT filter out extensions it does not recognise. Of course it doesn't say that - at least not at the moment. I totally agree. The spec should spell out the correct behavior instead of leaving it to each client implementation to decide as it sees fit. In fact, there are plenty of specifications that dictate the pass-through behavior for unknown extensions on intermediates. -- GitHub Notification of comment by joshzhao Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2331#issuecomment-3199199095 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 19 August 2025 04:52:52 UTC