digital-credentials icon indicating copy to clipboard operation
digital-credentials copied to clipboard
verified publisher icon WICG

Add guidance to verifiers/issuers and clients/client platforms on cross-origin usage

Open timcappalli opened this issue 4 months ago • 2 comments

Both get and create calls are allowed in cross-origin iframes in the spec. These cross-origin requests can be confusing and even misleading to users.

We should:

  1. Add considerations for verifiers and issuers, similar to WebAuthn
  2. Consider adding non-normative recommendations to clients/client platforms on displaying both the origin and top origin to users on selection screens

timcappalli avatar Aug 06 '25 16:08 timcappalli

Agreed that cross-origin usage will be confusing to users and ripe for abuse. Is that something we need to support?

W3C specs have in the past included recommendations around showing a pair of origins to the user (around geolocation, for example), but as I understand it most browsers have abandoned that because of user confusion.

npdoty avatar Aug 06 '25 17:08 npdoty

Discussed on the DC API call - 11 August

hlflanagan avatar Aug 11 '25 17:08 hlflanagan