You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The client facilitates these security measures by providing the Relying Party's origin and RP ID to the authenticator for each operation. Since this is an integral part of the WebAuthn security model, user agents only expose this API to callers in secure contexts.
We should explicitly note that being in a secure context means that network connections must all be over secure transport (e.g., TLS) established without errors.
The text was updated successfully, but these errors were encountered:
Would have to see the text proposal, but bear in mind that secure context does not necessarily mean the webpage was retrieved via a TLS connection. For instance, https://www.w3.org/TR/secure-contexts/#localhost has a 127.0.0.1 carve-out that in my experience browser vendors have honored with respect to other API's requiring secure contexts (e.g. Encrypted Media Extensions).
Rather than try to paraphrase what a secure context actually means in the Webauthn intro, I would consider adding a reference to how the UA should determine if a webpage corresponds to a secure context: https://www.w3.org/TR/secure-contexts/#algorithms
the WebAuthn API intro has a parag saying:
We should explicitly note that being in a secure context means that network connections must all be over secure transport (e.g., TLS) established without errors.
The text was updated successfully, but these errors were encountered: