webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon w3c

CollectedClientData.crossOrigin default value and whether it is required

Open equalsJeffH opened this issue 4 years ago • 1 comments

CollectedClientData.crossOrigin is defined like so:

dictionary CollectedClientData {
    [ ... ]
    boolean                      crossOrigin;
    [ ... ]
};

In examining both the [[Create]]() and [[DiscoverFromExternalSource]]() methods, as well as the CollectedClientData serialization, it appears that crossOrigin is invariably added to collectedClientData, and that it's default value is (effectively) False.

Did we not stipulate it as required in the above WebIDL declaration for backwards compatiblity reasons?

In any case, I think it'd be good to add a note along these lines (to help obviate grovelling thru the spec to figure this out):

crossOrigin, of type boolean This member contains the inverse of the sameOriginWithAncestors argument value that was passed into the internal method. Note: This member is always added to CollectedClientData by the [[Create]]() and [[DiscoverFromExternalSource]]() methods. If for some reason it is not present in CollectedClientData, and the Section 5.8.1.1 Serialization is used, it defaults to False.

equalsJeffH avatar Jun 19 '21 00:06 equalsJeffH

It doesn't appear to be explicitly documented in #1276, but I think it seems likely that backwards compatibility is the reason we made it not required - RPs cannot rely on it being present in case the client is an L1 implementation.

emlun avatar Aug 07 '24 14:08 emlun

From WG call: @akshayku will create a PR to add a note similar to what was proposed above.

MasterKale avatar Jul 02 '25 18:07 MasterKale