- From: Nick Doty via GitHub <noreply@w3.org>
- Date: Tue, 17 Mar 2026 21:16:32 +0000
- To: public-webauthn@w3.org
Helpful to document both the risk and a normative requirement indicating the responsibility for informing the user, as a mitigation. One confusion I had: the RP ID and calling origin are both useful to show in the Related Origins case (because the origins might be different, and those are the two origins that will be connected by approving the authentication), but in the embedded document case, isn't the calling origin the same as the RP ID, and it's just different from the embedding website? The user confusion there isn't that the calling origin is different from the RP ID from creation time, but that it might be different (and connecting activity or accounts between) the top-level document origin. -- GitHub Notification of comment by npdoty Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2391#issuecomment-4078055500 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 17 March 2026 21:16:33 UTC