Verify topOrigin

[jameshartig]

Description

The latest draft discusses verifying topOrigin along with origin. Right now this library only validates origin. Maybe an RPTopOrigins field could be added to Config, though this means the default would be to not allow any topOrigin value which might not be backwards-compatible. It also wouldn't be easy for an RP to allow any topOrigin value. Maybe instead it could be some sort of enum like AllowAll, AllowRPOrigins, AllowNone, but then you couldn't specify third-party ones.

Use Case

Our particular use-case is that we don't allow any topOrigin value, but longer-term we might want to allow our top-level domain as a valid topOrigin.

Documentation

See w3c/webauthn#1891 and https://w3c.github.io/webauthn/#sctn-validating-origin.

[james-d-elliott]

I'll have a think about how to implement this. I think it's probably fine to implement it as an opt in to be decided by the RP until it's no longer a draft or to make it part of the level 3 wait-list depending on how urgent it is for users of the lib.

[jameshartig]

I'll have a think about how to implement this. I think it's probably fine to implement it as an opt in to be decided by the RP until it's no longer a draft or to make it part of the level 3 wait-list depending on how urgent it is for users of the lib.

I think it's fine for it to be on the wait-list. I mostly filed this so it wouldn't be forgotten about.