add indication of cross-origin operation in collectedClientData
#1276
Conversation
|
Blocked awaiting work in CredMan |
No? It allows operations that were previously forbidden, I don't think it stops anything that was previously allowed. |
|
It shouldn't break anything. The one exception to that might be some servers that won't understand the new elements in client data. But only servers explicitly allowing this should ever see that. |
|
Yeah, ok, it won't break the WebAuthn API, but I was thinking it's a breaking change to the internal browser APIs. But I guess that is already the case for L2 anyway. |
equalsJeffH
changed the title
collectedClientData
Co-Authored-By: Emil Lundberg <emil@yubico.com>
|
this is ready to re-review in conjunction with w3c/webappsec-credential-management#138. Note: I've updated the original post and this PR's title to reflect the current state of things. |
|
@akshayku Please review so we can close this out or move it to next WD |
…in `collectedClientData` (#1276)
|
Could someone help refresh my memory on this? At some point we discussed making |
This reverts part of PR w3c#1276, again prohibiting the use of the Create method when `sameOriginWithAncestors` is `false`. The `Note` is simplified, since the integration between Credential Management and Feature Policy is now complete.
This reverts part of PR w3c#1276, again prohibiting the use of the Create method when `sameOriginWithAncestors` is `false`. The `Note` is simplified, since the integration between Credential Management and Feature Policy is now complete.
* Prohibit Create Credential from cross-origin iframes This reverts part of PR #1276, again prohibiting the use of the Create method when `sameOriginWithAncestors` is `false`. The `Note` is simplified, since the integration between Credential Management and Feature Policy is now complete. * Split the feature-policy definition, per review comments * Apply suggestions from code review Co-Authored-By: =JeffH <jdhodges@google.com> Co-authored-by: =JeffH <jdhodges@google.com>
fixes #1271 #911
This webauthn PR is associated with w3c/webappsec-credential-management#138. It eliminates the
sameOriginWithAncestorscheck from both[[Create]]()and[[DiscoverFrom...]]()and instead adds the inverse of it's value tocollectedClientDatain the form of thecrossOriginboolean.Cross-origin usage is now gated upon feature policy, per w3c/webappsec-credential-management#138. Credman+WebAuthn default behavior remains the same as before: allowed in same-origin contexts, disallowed in cross-origin contexts. Cross-origin usage can now be attained by the RP webdev/author by explicitly setting the
publickey-credentialsfeature policy.see also: w3c/webappsec-credential-management#138 (comment)
Preview | Diff