adds Related Origin Requests #2040
- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4110,7 +4110,7 @@ For example, for the RP ID `example.com`: | |
|
|
||
| To validate the calling origin is an authorized related origin for a given ceremony: | ||
|
There was a problem hiding this comment. This should explicitly define callerOrigin and rpIdRequested as parameters of the procedure, and the references in the client algorithms should explicitly specify the arguments. I think we should also put a There was a problem hiding this comment.
Do you have an example of what that should look like in Bikeshed?
Not sure I understand. What would a definition look like for a procedure? Isn't that just the section that defines the procedue? There was a problem hiding this comment. We have a few examples in the spec:
So for example, this section could start with: and then the references in This has a few advantages: most importantly it makes the connection clearer and less reliant on hidden metadata, so it's more likely to survive format conversions such as into PDF or plain text (or even actual print, if someone were to actually do that), or quotations. Less importantly it also shows Bikeshed's list of references when you click the definition, which doesn't happen for links to sections. Alternatively, the link to the section should be a plain section reference without replacing the link text, so that it renders the whole section heading, for the reasons above. Like I said, we don't always respect these concerns throughout the spec, and I don't think we always should, but I think this is one of the cases where there's little or nothing to gain from not doing so. There was a problem hiding this comment. But to be fair, there is also at least this counter-example where we do link to a section with a (slightly) different link text: |
||
|
|
||
| 1. Let |maxLabels| be the maximum number of [=origin labels=] allowed by client policy. | ||
timcappalli marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| 1. Fetch the well-known URL for the RP ID (<code>https://|rpIdRequested|/.well-known/webauthn</code>). | ||
|
There was a problem hiding this comment. I have a question about the fetching of the well-known URL. Could this be abused given that the origin of the page that contains the WebAuthn call is necessarily a different origin from the site where the well-known document will be retrieved? This seems to constitute a cross origin request. There was a problem hiding this comment. It is the WebAuthn client software fetching the document, not anything in the web session. What types of abuse were you thinking? There was a problem hiding this comment. @nsatragno can you comment based on the discussion on the call?
timcappalli marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| 1. If the fetch fails, the response does not have a content type of `application/json`, or does not have a status code (after following redirects) of 200, then throw a "{{SecurityError}}" {{DOMException}}. | ||
| 1. If the body of the resource is not a valid JSON object, then throw a "{{SecurityError}}" {{DOMException}}. | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.