-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify topOrigin #205
Comments
I'll have a think about how to implement this. I think it's probably fine to implement it as an opt in to be decided by the RP until it's no longer a draft or to make it part of the level 3 wait-list depending on how urgent it is for users of the lib. |
I think it's fine for it to be on the wait-list. I mostly filed this so it wouldn't be forgotten about. |
This adds top origin verification options to the library. Closes #205
Description
The latest draft discusses verifying
topOrigin
along withorigin
. Right now this library only validatesorigin
. Maybe anRPTopOrigins
field could be added toConfig
, though this means the default would be to not allow anytopOrigin
value which might not be backwards-compatible. It also wouldn't be easy for an RP to allow anytopOrigin
value. Maybe instead it could be some sort of enum likeAllowAll
,AllowRPOrigins
,AllowNone
, but then you couldn't specify third-party ones.Use Case
Our particular use-case is that we don't allow any
topOrigin
value, but longer-term we might want to allow our top-level domain as a validtopOrigin
.Documentation
See w3c/webauthn#1891 and https://w3c.github.io/webauthn/#sctn-validating-origin.
The text was updated successfully, but these errors were encountered: