- From: Martin Kreichgauer via GitHub <noreply@w3.org>
- Date: Fri, 10 Apr 2026 23:43:57 +0000
- To: public-webauthn@w3.org
kreichgauer has just created a new issue for https://github.com/w3c/webauthn: == Related origin validation should reference the Fetch spec == The [related origins validation procedure](https://w3c.github.io/webauthn/#abstract-opdef-related-origins-validation-procedure) says to _fetch the webauthn well-known URL_. But the actual definition of "fetch" seems under-specified. It says not send credentials or a referrer, but leaves open some important details, like how CSP should be handled. This can lead to partial CSP bypasses, where the User Agent makes a cross-origin request to a .well-known/webauthn resource, even if the page has a CSP directive that prohibits cross-origin fetches. It appears to be best practice to reference the [Fetch spec](https://fetch.spec.whatwg.org/#fetch-elsewhere-request) in cases like this, specifically the section on setting up a [request](https://fetch.spec.whatwg.org/#concept-request) and invoking the [fetch API](https://fetch.spec.whatwg.org/#concept-fetch) with it. There are a couple of examples in other specs that we could probably follow, e.g. [SPC](https://w3c.github.io/secure-payment-confirmation/#:~:text=Fetch%20the%20image%20resource%20for%20the%20icon%2C%20passing%20%C2%AB%5B%22src%22%20%E2%86%92%20data%5B%22instrument%22%5D%5B%22icon%22%5D%5D%C2%BB%20for%20image.%20If%20this%20fails) or [Payment Method Manifests](https://www.w3.org/TR/payment-method-manifest/#fetch-pmm:~:text=For%20each%20identifierURL,to%20bytes.) Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2408 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 10 April 2026 23:43:58 UTC