- From: John Schanck via GitHub <noreply@w3.org>
- Date: Fri, 24 Apr 2026 15:05:00 +0000
- To: public-webauthn@w3.org
The point of referencing fetch would be to provide implementation guidance: "use your platform's fetch implementation or an equivalent sequence of steps". The request URL List that you referenced is a bookkeeping detail; the platform's fetch implementation is not going to expose the URL List to callers. In my opinion, that spoils the benefit of referencing fetch. I still think it would be good if we could reference fetch here. I don't see a clear reason to allow redirects, much less cross-origin redirects, for the .well-known fetch. Dropping the "all redirects use https:" condition and either forbidding redirects or imposing a same-origin requirement would make it possible to implement the related origin validation procedure using the fetch algorithm as a black box. -- GitHub Notification of comment by jschanck Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2408#issuecomment-4314168777 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 24 April 2026 15:05:01 UTC