Re: [webauthn] Related origin validation should reference the Fetch spec (#2408) from John Schanck via GitHub on 2026-04-23 (public-webauthn@w3.org from April 2026)

From: John Schanck via GitHub <noreply@w3.org>
Date: Thu, 23 Apr 2026 16:49:04 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-4306208358-1776962941-noreply@w3.org>

Is it possible to implement the .well-known fetch using the Fetch API? The spec says:
> When following redirects, [WebAuthn Clients](https://w3c.github.io/webauthn/#webauthn-client) MUST explicitly require all redirects to also use the https: [scheme](https://url.spec.whatwg.org/#concept-url-scheme).

I don't think the Fetch API exposes enough information about intermediate hops in a redirect chain to enforce this.

Maybe what we want is for the response URL to be same-origin with the request URL? We could enforce that with the Fetch API, but only if we remove the "all redirects use https:" requirement. The Fetch API would not give you enough information to exclude an http: scheme on the B hop of an A -> B -> A chain.

-- 
GitHub Notification of comment by jschanck
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2408#issuecomment-4306208358 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 23 April 2026 16:49:05 UTC