On Thursday, May 4, 2023 at 6:11:17 PM UTC-4 Adam Langley wrote: On Tue, May 2, 2023 at 9:55 AM Caleb Raitto <[email protected]> wrote:
Thanks, makes sense -- can a note about this be added to the privacy section of the explainer / spec? I think the Privacy section covers that now. If you see gaps, please do let me know. I was thinking we should have some language specifically about the cross-origin iframe case -- I didn't see that in the explainer or spec when I checked just now? Basically something like your previous response would be sufficient, I think? Also, I wanted to clarify: > The cross-origin iframe would still be limited by the RP ID mechanism <https://w3c.github.io/webauthn/#rp-id> so that it could only attempt to assert credentials created within the same eTLD+1, however. IIUC, this means that the PRF value is more akin to a first party cookie than a third-party cookie? Thanks, -Caleb Cheers AGL -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/363d70f8-6ca7-4ee1-b683-b8bf18e311d1n%40chromium.org.
