- From: Nick Doty via GitHub <noreply@w3.org>
- Date: Mon, 10 Nov 2025 19:06:55 +0000
- To: public-webauthn@w3.org
My understanding is that it isn't partitioned, that the user is provider a persistent identifier to embedded origin B (the same key that they use when interacting with Site B in a non-embedded context). So the user may think they are signing into Site A but actually be providing a cross-origin connection to their identity on Site B. Based on discussion with the Working Group, it sounded like this was the intended behavior, and that it was up to the user agent to clearly communicate what's happening to the user, and up to the user to interpret the UI, notice that the dialog UI shows a different origin from the URL bar and make sure they want to connect their activity on Site A to their activity on Site B. This seems dangerous to users and likely to be confused. I'm not sure if user agents realize what they're signing up to communicate to users. It seemed like in discussion with the Working Group that maybe this could be documented in the spec, either now or in the future, to document the risk and clarify the responsibility. -- GitHub Notification of comment by npdoty Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2321#issuecomment-3513468728 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 10 November 2025 19:06:56 UTC