- From: Martin Thomson via GitHub <sysbot+gh@w3.org>
- Date: Tue, 25 Jul 2017 00:52:26 +0000
- To: public-webrtc-logs@w3.org
I think that the question here is about how an IdP might make a claim about a different domain. Or, if you get an assertion for `user@example.com`, how `example.net` might verify that assertion. This is not a function that `setIdentityProvider` is intended to provide. This is something that the browser might decide to allow, but a site wouldn't and indeed MUST NOT. Say that I know you as `soareschen@example.net`. If I visit a site, I need to know that when the assertion arrives for you, then it is you. You don't want `https://attacker.example` to be able to install an override so that their IdP can assert for `example.net`. -- GitHub Notification of comment by martinthomson Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/1506#issuecomment-317596208 using your GitHub account
Received on Tuesday, 25 July 2017 00:52:27 UTC