digital-credentials icon indicating copy to clipboard operation
digital-credentials copied to clipboard

Published 20 hours ago verified publisher icon WICG

Handling various origin types

Open marcoscaceres opened this issue 1 year ago • 4 comments
trafficstars

When calling .get(), we need to check:

  • origin is opaque origin? Throw SecurityError.
  • is the effective domain a valid domain? no, then throw SecurityError.

As with Web Auth, we probably don't want IP addresses being compared here.

marcoscaceres avatar Aug 20 '24 04:08 marcoscaceres

What's an example of an invalid domain?

I assume you don't plan to do any TLSA or DNSSEC checks. The domain could be any DNS resolvable IDNA, according to UTS46.

Right?

OR13 avatar Aug 20 '24 13:08 OR13

navigator.identity is already protected under SecureContext, wouldn't this already cover "origin is opaque origin?" and "is the effective domain a valid domain?"?

samuelgoto avatar Aug 20 '24 16:08 samuelgoto

navigator.identity is already protected under SecureContext, wouldn't this already cover "origin is opaque origin?" and "is the effective domain a valid domain?"?

That is my understanding. @marcoscaceres does this match your understanding as well?

timcappalli avatar Nov 17 '24 14:11 timcappalli

2025-02-19: @marcoscaceres to confirm

timcappalli avatar Feb 19 '25 23:02 timcappalli