-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow caller to pick between strict and eTLD+1 matching #162
Conversation
Per suggestion from @bifurcation on this morning's WG call.
This LGTM; it does require a rebase/merge. |
How about we do something akin to domain lowering:
rpId would be optional, and if left unspecified, the caller's origin shall be used. If it is specified, then valid values are postfixes of the caller's origin, up to - but no further than - eTLD+1. We'd have to define what happens to the scheme and port of the caller's origin, but I assume domain lowering already deals with this in some way (i.e., both http://foo.example.com:1234 and https://foo.example.com:9876 are allowed to lower to "example.com"). |
I do think @balfanz proposes a more elegant solution than the Boolean. Let me write it up in a new PR and we can pick one of the two. |
Ok, I can live with either this "boolean switch" approach, or Dirk's as-yet-not-in-a-PR-it-seems approach. There are detail-level issues in this "boolean switch" approach, tho I'll wait to see which approach we go with before working on detail polishing. thanks for writing this up. |
@@ -343,7 +344,8 @@ When this method is invoked, the user agent MUST execute the following algorithm | |||
2. Let |promise| be a new <a data-lt="Promises">Promise</a>. Return |promise| and start a timer for |adjustedTimeout| seconds. | |||
Then asynchronously continue executing the following steps. | |||
|
|||
3. Set |callerOrigin| to the <a link-for='web'>origin</a> of the caller. Derive the RP ID from |callerOrigin| by computing the | |||
3. Set |callerOrigin| to the <a link-for='web'>origin</a> of the caller. If {{CredentialOptions/rpStrict}} was set to true or | |||
not specified, then set the RP ID to |callerOrigin|. Otherwise, erive the RP ID from |callerOrigin| by computing the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: erive
For either of these solutions, please note that RFC 7719 basically says that "eTLD+1" is not well defined. Quoting: "Note that the term "public suffix" is controversial in the DNS community for many reasons, and may be significantly changed in the future." Can we clarify that the Mozilla-maintained list of public suffixes is authoritative on this term? |
Let's go with #198 rather than this one. |
Closing this out since the consensus on the previous call was similar, that this is inferior to #198. |
* Allow caller to explicitly specify its claimed RP ID Alternative to #162 as suggested by @balfanz. This change also gets rid of references to PSL and eTLD+1, replacing them with references to the HTML specification instead. * Remove rpId from ClientData Since rpId is now equal to origin except when explicitly specified by the caller, and it is folded into the authenticatorData, having it in ClientData adds no value. Fixes #189 * Incorporate feedback from @equalsJeffH * More feedback from @equalsJeffH * Incorporate feedback from @equalsJeffH Note this PR also fixes #178 by removing all use of the term lowercase
Per suggestion from @bifurcation on this morning's WG call.