From e8172c4d2eea64bf60e0f53d82cb96fa081db22e Mon Sep 17 00:00:00 2001 From: JeffH Date: Tue, 13 Sep 2016 19:44:37 -0700 Subject: [PATCH 1/5] ref whatwg HTML spec for origin & Navigator. Fixes #160. --- index.bs | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/index.bs b/index.bs index 9fbe8fb37..00585cd29 100644 --- a/index.bs +++ b/index.bs @@ -35,6 +35,20 @@ Boilerplate: omit conformance, omit feedback-header Markup Shorthands: css off, markdown on +
+
+spec: HTML; urlPrefix: https://html.spec.whatwg.org/multipage/
+    type: dfn
+        urlPrefix: browsers.html; for: web
+            text: origin
+            text: opaque origin
+            text: tuple origin
+    type: dfn
+        urlPrefix: webappapis.html; for: interface
+            text: Navigator
+    
+
+ # Introduction # {#intro} @@ -130,8 +144,10 @@ or a combination of both. This specification relies on several other underlying specifications. -: HTML5 -:: The concept of origin and the Navigator interface are defined in [[!HTML5]]. + + +: HTML +:: The concepts of origin and the Navigator interface are defined in [[!HTML]]. : Web IDL :: Many of the interface definitions and all of the IDL in this specification depend on [[!WebIDL-1]]. This updated version of @@ -701,7 +717,7 @@ string-valued keys. Values may be any type that has a valid encoding in JSON. It
The challenge member contains the base64url encoding of the challenge provided by the RP. - The origin member contains the fully qualified web origin of the requester, as provided to the authenticator by + The origin member contains the fully qualified web origin of the requester, as provided to the authenticator by the client, in the syntax defined by [[RFC6454]]. The rpId member contains the RP ID of the requester, as computed by the client. From a67e1af729d05ffe3741c9bb47d4e9158f7825fa Mon Sep 17 00:00:00 2001 From: JeffH Date: Thu, 15 Sep 2016 15:25:23 -0700 Subject: [PATCH 2/5] ref HTML51 for object and Navigator --- index.bs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 00585cd29..549109463 100644 --- a/index.bs +++ b/index.bs @@ -37,7 +37,8 @@ Markup Shorthands: css off, markdown on 
 
-spec: HTML; urlPrefix: https://html.spec.whatwg.org/multipage/
+
+spec: HTML51; urlPrefix: http://www.w3.org/TR/html51/
     type: dfn
         urlPrefix: browsers.html; for: web
             text: origin
@@ -147,7 +148,7 @@ This specification relies on several other underlying specifications.
 
 
 : HTML
-:: The concepts of origin and the Navigator interface are defined in [[!HTML]].
+:: The concepts of origin and the Navigator interface are defined in [[!HTML51]].
 
 : Web IDL
 :: Many of the interface definitions and all of the IDL in this specification depend on [[!WebIDL-1]]. This updated version of

From 98c81f78e7a4a48fb1e996972dc94642eb99df71 Mon Sep 17 00:00:00 2001
From: JeffH 
Date: Thu, 15 Sep 2016 15:39:20 -0700
Subject: [PATCH 3/5] 'web origin' -> 'origin'. fixes #173.

---
 index.bs | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/index.bs b/index.bs
index 549109463..896da0d27 100644
--- a/index.bs
+++ b/index.bs
@@ -58,7 +58,7 @@ spec: HTML51; urlPrefix: http://www.w3.org/TR/html51/
 This specification defines an API enabling the creation and use of strong, attested, cryptographic scoped
 credentials by web applications, for the purpose of strongly authenticating users. A scoped credential is
 created and stored by an authenticator at the behest of a [RP], subject to user
-consent. Subsequently, the scoped credential can only be accessed by web origins belonging to that [RP].
+consent. Subsequently, the scoped credential can only be accessed by origins belonging to that [RP].
 This scoping is enforced jointly by conforming User Agents and authenticators. 
 Additionally, privacy across [RPS] is maintained; [RPS] are not able to detect any properties, or even
 the existence, of credentials scoped to other [RPS].
@@ -239,7 +239,7 @@ NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
 
 : Relying Party Identifier
 : RP ID
-:: A Relying Party Identifier is derived from a [RP]'s web origin's hostname by computing the hostname's eTLD+1. 
+:: A Relying Party Identifier is derived from a [RP]'s origin's hostname by computing the hostname's eTLD+1. 
 
 : Scoped Credential
 :: Generically, a credential is data one entity presents to another in order to authenticate the former's identity [[RFC4949]].
@@ -285,7 +285,7 @@ and/or platform on the user's behalf. At no point does the script get access to
 information about the credentials in the form of objects. 
 
 The security properties of this API are provided by the client and the authenticator working together. The authenticator, which
-holds and manages credentials, ensures that all operations are scoped to a particular web origin, and cannot be replayed against
+holds and manages credentials, ensures that all operations are scoped to a particular origin, and cannot be replayed against
 a different origin, by incorporating the origin in its responses. Specifically, as defined in [[#signature-format]], the full
 origin of the requester is included, and signed over, in the attestation statement produced when a new credential is created as
 well as in all assertions produced by WebAuthn credentials.
@@ -294,9 +294,9 @@ Additionally, to maintain user privacy and prevent malicious [RPS] from probing
 other [RPS], each credential is also associated with a Relying Party Identifier, or RP ID. This RP ID is provided by the client
 to the authenticator for all operations, and the authenticator ensures that credentials created by a [RP] can only be used in
 operations requested by the same RP ID. Separating the origin from the RP ID in this way allows the API to be used in cases
-where a single [RP] maintains multiple web origins.
+where a single [RP] maintains multiple origins.
 
-The client facilitates these security measures by providing correct web origins and RP IDs to the authenticator for each
+The client facilitates these security measures by providing correct origins and RP IDs to the authenticator for each
 operation. Since this is an integral part of the WebAuthn security model, user agents MUST only expose this API to callers in
 secure contexts, as defined in [[secure-contexts]].
 
@@ -718,7 +718,7 @@ string-valued keys. Values may be any type that has a valid encoding in JSON. It
 

     The challenge member contains the base64url encoding of the challenge provided by the RP.
 
-    The origin member contains the fully qualified web origin of the requester, as provided to the authenticator by
+    The origin member contains the fully qualified origin of the requester, as provided to the authenticator by
     the client, in the syntax defined by [[RFC6454]].
 
     The rpId member contains the RP ID of the requester, as computed by the client.

From 8afcbc28db00382743c5cd9bb7f04de37d3ffbf2 Mon Sep 17 00:00:00 2001
From: JeffH 
Date: Thu, 15 Sep 2016 16:43:08 -0700
Subject: [PATCH 4/5] work on #171 & #172.

---
 index.bs | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/index.bs b/index.bs
index 896da0d27..7a6be2bb3 100644
--- a/index.bs
+++ b/index.bs
@@ -44,6 +44,7 @@ spec: HTML51; urlPrefix: http://www.w3.org/TR/html51/
             text: origin
             text: opaque origin
             text: tuple origin
+            text: current settings object
     type: dfn
         urlPrefix: webappapis.html; for: interface
             text: Navigator
@@ -362,7 +363,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
 2. Let |promise| be a new Promise. Return |promise| and start a timer for |adjustedTimeout| seconds.
     Then asynchronously continue executing the following steps.
 
-3. Set |callerOrigin| to the origin of the caller. Derive the RP ID from |callerOrigin| by computing the
+3. Set |callerOrigin| to the current settings object's origin. If |callerOrigin|
+    is an opaque origin, reject |promise| with a DOMException whose name is "NotAllowedError", and terminate this algorithm. Otherwise, derive the RP ID from |callerOrigin| by computing the
     "public suffix + 1" or "PS+1" (which is also referred to as the "Effective Top-Level Domain plus One" or "eTLD+1")
     part of |callerOrigin| [[PSL]]. Let |rpId| be the lowercase form of this RP ID. Set |rpIdHash| to the SHA-256 hash of the
     UTF-8 encoding of |rpId|.
@@ -438,7 +440,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
 2. Let |promise| be a new Promise. Return |promise| and start a timer for |adjustedTimeout| seconds.
     Then asynchronously continue executing the following steps.
 
-3. Set |callerOrigin| to the origin of the caller. Derive the RP ID from |callerOrigin| by computing the
+3. Set |callerOrigin| to the current settings object's origin. If |callerOrigin|
+    is an opaque origin, reject |promise| with a DOMException whose name is "NotAllowedError", and terminate this algorithm. Otherwise, derive the RP ID from |callerOrigin| by computing the
     "public suffix + 1" or "PS+1" (which is also referred to as the "Effective Top-Level Domain plus One" or "eTLD+1")
     part of |callerOrigin| [[PSL]]. Let |rpId| be the lowercase form of this RP ID. Set |rpIdHash| to the SHA-256 hash of the
     UTF-8 encoding of |rpId|.

From f81c8676d51f3bd2ccc9ffbfcc786cd75850bbba Mon Sep 17 00:00:00 2001
From: JeffH 
Date: Fri, 16 Sep 2016 12:24:47 -0700
Subject: [PATCH 5/5] use 'current settings object's origin' (et al) rather
 than 'origin of the caller'. Fixes #171. Fixes #172.

---
 index.bs | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/index.bs b/index.bs
index 7a6be2bb3..b7bdeeb81 100644
--- a/index.bs
+++ b/index.bs
@@ -38,15 +38,16 @@ Markup Shorthands: css off, markdown on
 
 
 
-spec: HTML51; urlPrefix: http://www.w3.org/TR/html51/
+spec: HTML51; urlPrefix: http://www.w3.org/TR/html51/; for: web
     type: dfn
-        urlPrefix: browsers.html; for: web
-            text: origin
+        urlPrefix: browsers.html
+            text: origin; url: concept-cross-origin
             text: opaque origin
             text: tuple origin
-            text: current settings object
+            text: relaxing the same-origin restriction
     type: dfn
         urlPrefix: webappapis.html; for: interface
+            text: current settings object; url:current-settings-object
             text: Navigator
     
 

@@ -149,7 +150,9 @@ This specification relies on several other underlying specifications.
 
 
 : HTML
-:: The concepts of origin and the Navigator interface are defined in [[!HTML51]].
+:: The concepts of current settings object, |given value|, opaque origin, 
+    origin, the Navigator interface, and the 
+    relaxing the same-origin restriction "setting" algorithm are defined in [[!HTML51]].
 
 : Web IDL
 :: Many of the interface definitions and all of the IDL in this specification depend on [[!WebIDL-1]]. This updated version of
@@ -363,8 +366,12 @@ When this method is invoked, the user agent MUST execute the following algorithm
 2. Let |promise| be a new Promise. Return |promise| and start a timer for |adjustedTimeout| seconds.
     Then asynchronously continue executing the following steps.
 
-3. Set |callerOrigin| to the current settings object's origin. If |callerOrigin|
-    is an opaque origin, reject |promise| with a DOMException whose name is "NotAllowedError", and terminate this algorithm. Otherwise, derive the RP ID from |callerOrigin| by computing the
+3. Set |callerOrigin| to the current settings object's origin. If |callerOrigin| is
+    an opaque origin, reject |promise| with a DOMException whose name is "NotAllowedError", and
+    terminate this algorithm. 
+    Otherwise, apply the relaxing the same-origin restriction "setting" algorithm using |callerOrigin| as
+    the |given value|. 
+    If no errors are thrown, then derive the RP ID from |callerOrigin| by computing the
     "public suffix + 1" or "PS+1" (which is also referred to as the "Effective Top-Level Domain plus One" or "eTLD+1")
     part of |callerOrigin| [[PSL]]. Let |rpId| be the lowercase form of this RP ID. Set |rpIdHash| to the SHA-256 hash of the
     UTF-8 encoding of |rpId|.
@@ -440,8 +447,12 @@ When this method is invoked, the user agent MUST execute the following algorithm
 2. Let |promise| be a new Promise. Return |promise| and start a timer for |adjustedTimeout| seconds.
     Then asynchronously continue executing the following steps.
 
-3. Set |callerOrigin| to the current settings object's origin. If |callerOrigin|
-    is an opaque origin, reject |promise| with a DOMException whose name is "NotAllowedError", and terminate this algorithm. Otherwise, derive the RP ID from |callerOrigin| by computing the
+3. Set |callerOrigin| to the current settings object's origin. If |callerOrigin|
+    is an opaque origin, reject |promise| with a DOMException whose name is "NotAllowedError", and
+    terminate this algorithm.
+    Otherwise, apply the relaxing the same-origin restriction "setting" algorithm using |callerOrigin| as
+    the |given value|. 
+    If no errors are thrown, then derive the RP ID from |callerOrigin| by computing the
     "public suffix + 1" or "PS+1" (which is also referred to as the "Effective Top-Level Domain plus One" or "eTLD+1")
     part of |callerOrigin| [[PSL]]. Let |rpId| be the lowercase form of this RP ID. Set |rpIdHash| to the SHA-256 hash of the
     UTF-8 encoding of |rpId|.