Re: [webauthn] Related origin validation should reference the Fetch spec (#2408) from Martin Kreichgauer via GitHub on 2026-04-24 (public-webauthn@w3.org from April 2026)

From: Martin Kreichgauer via GitHub <noreply@w3.org>
Date: Fri, 24 Apr 2026 18:17:51 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-4315353837-1777054669-noreply@w3.org>

It was pointed out to me that fetch already [blocks mixed content](https://w3c.github.io/webappsec-mixed-content/#should-block-fetch). So I think that if merely say to make a fetch to the https:// well-known URL, with redirects allowed but saying nothing else about restricting them to https:// origins, we actually get the behavior we have currently.

I'm hesitant to drop redirect support entirely or restrict it to same origin, since that would break backwards compatibility and would make this change more challenging to deploy.


-- 
GitHub Notification of comment by kreichgauer
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2408#issuecomment-4315353837 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 24 April 2026 18:17:52 UTC