Adding flexibility in client origin scheme validation to align with real world implementations #2018
Conversation
Clients today want to allow localhost on http, but are forbidden by spec due to scheme validation
|
@MasterKale any thoughts? I don't wanna hog the meeting minutes on Wednesday, if this is dumb I'd rather close it before then. edit: ipr failed because my accounts didn't line up. It's been fixed. |
Co-authored-by: Emil Lundberg <emil@emlun.se>
There was a problem hiding this comment.
This seems fine to me. The spec mentions secure contexts a couple of times but it's far from obvious that http://localhost is one especially if all you're going off of is WHATWG.
I suggest we also specifically call out here that http://localhost addresses are valid. Let's include a localhost example here too? And maybe a mention of an address like http://localhost:8000 being valid too because many JS frameworks will start local dev servers on a different port than 80.
|
@MasterKale I agree and even thought about adding an example too, but didn't want to be too specific in order to open the door for more question. I'll add second PR with a suggested example so that it can be independently accepted/rejected. |
|
Incorporated @nsatragno feedback, it now spells out the behaviour:
|
|
@emlun I tried to keep this PR focused to this section of the spec. I noticed that there are more usages of [=host=] elsewhere. I can adress those in a separate PR if |
|
Is this going to cover the case of having names in a and then trying to access Seems like those are considered Secure Contexts elsewhere. |
SHA: 3c71812 Reason: push, by nicksteele Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sorry for the delayed response - yeah, I don't think we need to change any other occurrences. (Probably, I might take a look into that later) |
I suggest adding a little bit of flexibility to the requirements on validating the scheme to be
https. This is in response to the real world implementation by clients, where clients (browsers, chrome) allow webauthn onlocalhostrunning on thehttp-scheme. We've been receiving negative feedback for following this part of the spec. I wanted to suggest adding just a little bit of flexibility here, hopefully without opening a can of DNS worms.I might be sticking my shin out here, since I know the topic of localhost has been brought up in previous calls with varying (dis)-agreement. E.g issue #1204 morphed into a discussion on DNS.
Either I'm misinterpreting the current writing, but to me it's quite clear about not allowing
httpin any case.Original:
Updated:
Preview | Diff