webauthn
webauthn copied to clipboard
Published
20 hours ago •
w3c
w3c
CollectedClientData.crossOrigin not referenced in RP ops
Both §7. WebAuthn Relying Party Operations instructs to validate CollectedClientData.origin and .topOrigin (if present), but do not reference crossOrigin at all.
Proposed Change
Add a step to verify crossOrigin in the RP operations. For example:
- If C.
crossOriginis present and set totrue, verify that the Relying Party expects that this credential would have been created within an iframe that is not same-origin with its ancestors.
