CollectedClientData.crossOrigin not referenced in RP ops
emlun opened this issue · 1 comments
emlun commented
Both §7. WebAuthn Relying Party Operations instructs to validate CollectedClientData.origin and .topOrigin (if present), but do not reference crossOrigin at all.
Proposed Change
Add a step to verify crossOrigin in the RP operations. For example:
- If C.
crossOriginis present and set totrue, verify that the Relying Party expects that this credential would have been created within an iframe that is not same-origin with its ancestors.
zacknewman commented
Serialization requires crossOrigin, so the conditional "if" is not needed:
If C.crossOrigin is set to true, verify that the Relying Party expects that this credential would have been created within an iframe that is not same-origin with its ancestors.
Related, should topOrigin validation be a sub-step since it should never be set when crossOrigin is false?