Join GitHub today
Enforce cross sub domain credential sharing #62
I propose we should change the "MAY" to "MUST", so that enforces the implementation of cross subdomain credential sharing.
I think it's reasonable to give user agents the ability to make a decision here consistent with their user base and developer feedback. If we end up discovering that every user agent implements this, then turning it into a MUST might be reasonable for passwords.
However, this also depends in large part upon the properties of the credential type that we're talking about. It might not be possible to offer a federated credential if the IDP scopes its permission grant to a specific origin, for example. If we end up moving https://w3c.github.io/webauthn/ into this API as well, that would be another argument against a