MAY use the Public Suffix List [PSL] to determine the effective scope of a credential by comparing the registerable domains of the credential’s [[origin]] with the origin in which get() is called. That is: credentials saved on https://admin.example.com/ and https://example.com/ MAY be offered to users when get() is called from https://www.example.com/.
I propose we should change the "MAY" to "MUST", so that enforces the implementation of cross subdomain credential sharing.
Many websites breaks themselves into different sub websites each having a sub domain. For sites implemented single point authentication, they usually have a standalone sub domain for that. If user agent doesn't implement cross sub domain credential sharing, this API will not work for those sites.
Many websites have a separate mobile site apart from their desktop site, which usually have different sub domains. By enforcing credential sharing across sub domains, user experiences are reinforced because they always get seamless sign-in workflow between desktop browser and mobile browser.
The text was updated successfully, but these errors were encountered:
I think it's reasonable to give user agents the ability to make a decision here consistent with their user base and developer feedback. If we end up discovering that every user agent implements this, then turning it into a MUST might be reasonable for passwords.
However, this also depends in large part upon the properties of the credential type that we're talking about. It might not be possible to offer a federated credential if the IDP scopes its permission grant to a specific origin, for example. If we end up moving https://w3c.github.io/webauthn/ into this API as well, that would be another argument against a MUST, as the hardware tokens that spec defines are likewise origin-bound.