From 2a653decc794850743bb149fd919c81c10614b04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Mon, 29 Jan 2024 10:21:25 +0100 Subject: [PATCH 1/7] Added a loophole for secure contexts not using https Clients today want to allow localhost on http, but are forbidden by spec due to scheme validation --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 4178af162..ba72361a1 100644 --- a/index.bs +++ b/index.bs @@ -1341,7 +1341,7 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S Note: An [=RP ID=] is based on a [=host=]'s [=domain=] name. It does not itself include a [=scheme=] or [=port=], as an [=origin=] does. The [=RP ID=] of a [=public key credential=] determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows: - The [=RP ID=] must be equal to the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=], or a [=is a registrable domain suffix of or is equal to|registrable domain suffix=] of the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=]. - - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=scheme=] must be `https`. + - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=scheme=] must be `https`, or considered [=a secure context|secure contexts=] . - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=port=] is unrestricted. For example, given a [=[RP]=] whose origin is `https://login.example.com:1337`, then the following [=RP ID=]s are valid: `login.example.com` (default) and `example.com`, but not `m.login.example.com` and not `com`. From 66b792ddf2b69e4a074d226d77538de9e3c1fb49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Mon, 29 Jan 2024 10:43:58 +0100 Subject: [PATCH 2/7] Fixed bikeshedding --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index ba72361a1..0ca84dec4 100644 --- a/index.bs +++ b/index.bs @@ -1341,7 +1341,7 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S Note: An [=RP ID=] is based on a [=host=]'s [=domain=] name. It does not itself include a [=scheme=] or [=port=], as an [=origin=] does. The [=RP ID=] of a [=public key credential=] determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows: - The [=RP ID=] must be equal to the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=], or a [=is a registrable domain suffix of or is equal to|registrable domain suffix=] of the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=]. - - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=scheme=] must be `https`, or considered [=a secure context|secure contexts=] . + - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=scheme=] must be `https`, or considered a [=secure contexts|secure context=]. - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=port=] is unrestricted. For example, given a [=[RP]=] whose origin is `https://login.example.com:1337`, then the following [=RP ID=]s are valid: `login.example.com` (default) and `example.com`, but not `m.login.example.com` and not `com`. From 84055e6097dba51a331319078e3e8a4722858967 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Mon, 29 Jan 2024 10:53:36 +0100 Subject: [PATCH 3/7] Trigger Build From b4ce93ef1cd5e1da1862753bc60ad4ea691ed1c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Mon, 29 Jan 2024 13:39:23 +0100 Subject: [PATCH 4/7] remove pluralisation Co-authored-by: Emil Lundberg --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 0ca84dec4..39f8e08be 100644 --- a/index.bs +++ b/index.bs @@ -1341,7 +1341,7 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S Note: An [=RP ID=] is based on a [=host=]'s [=domain=] name. It does not itself include a [=scheme=] or [=port=], as an [=origin=] does. The [=RP ID=] of a [=public key credential=] determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows: - The [=RP ID=] must be equal to the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=], or a [=is a registrable domain suffix of or is equal to|registrable domain suffix=] of the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=]. - - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=scheme=] must be `https`, or considered a [=secure contexts|secure context=]. + - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=scheme=] must be `https`, or considered a [=secure context=]. - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=port=] is unrestricted. For example, given a [=[RP]=] whose origin is `https://login.example.com:1337`, then the following [=RP ID=]s are valid: `login.example.com` (default) and `example.com`, but not `m.login.example.com` and not `com`. From 85d28a3dc985e874c6a77356ac7629289ecfd7c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Wed, 14 Feb 2024 16:51:29 +0100 Subject: [PATCH 5/7] Changed wording to spell out localhost --- index.bs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 39f8e08be..0801d14b5 100644 --- a/index.bs +++ b/index.bs @@ -1341,7 +1341,9 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S Note: An [=RP ID=] is based on a [=host=]'s [=domain=] name. It does not itself include a [=scheme=] or [=port=], as an [=origin=] does. The [=RP ID=] of a [=public key credential=] determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows: - The [=RP ID=] must be equal to the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=], or a [=is a registrable domain suffix of or is equal to|registrable domain suffix=] of the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=]. - - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=scheme=] must be `https`, or considered a [=secure context=]. + - One of the following is true: + - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=scheme=] is `https`. + - The [=determines the set of origins on which the public key credential may be exercised|origin=] is `localhost` and the [=scheme=] is `http`. - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=port=] is unrestricted. For example, given a [=[RP]=] whose origin is `https://login.example.com:1337`, then the following [=RP ID=]s are valid: `login.example.com` (default) and `example.com`, but not `m.login.example.com` and not `com`. From ec161c4c2810a9b884d0b6cc756689fbdd7c9cd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Wed, 14 Feb 2024 21:04:59 +0100 Subject: [PATCH 6/7] Editorial tweaks and links --- index.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/index.bs b/index.bs index 0801d14b5..8f8ec0ae9 100644 --- a/index.bs +++ b/index.bs @@ -1338,12 +1338,12 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S [[#sctn-getAssertion]].
- Note: An [=RP ID=] is based on a [=host=]'s [=domain=] name. It does not itself include a [=scheme=] or [=port=], as an [=origin=] does. The [=RP ID=] of a [=public key credential=] determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows: + Note: An [=RP ID=] is based on a [=host=]'s [=domain=] name. It does not itself include a [=origin/scheme=] or [=port=], as an [=origin=] does. The [=RP ID=] of a [=public key credential=] determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows: - The [=RP ID=] must be equal to the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=], or a [=is a registrable domain suffix of or is equal to|registrable domain suffix=] of the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=]. - - One of the following is true: - - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=scheme=] is `https`. - - The [=determines the set of origins on which the public key credential may be exercised|origin=] is `localhost` and the [=scheme=] is `http`. + - One of the following must be true: + - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=origin/scheme=] is `https`. + - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=origin/host=] is `localhost` and its [=origin/scheme=] is `http`. - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=port=] is unrestricted. For example, given a [=[RP]=] whose origin is `https://login.example.com:1337`, then the following [=RP ID=]s are valid: `login.example.com` (default) and `example.com`, but not `m.login.example.com` and not `com`. From 9f8fa53883e4a36933e1241653535d656844e11f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20=C3=85berg?= Date: Wed, 14 Feb 2024 21:06:15 +0100 Subject: [PATCH 7/7] missed one --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 8f8ec0ae9..b82dd68f1 100644 --- a/index.bs +++ b/index.bs @@ -1338,7 +1338,7 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S [[#sctn-getAssertion]].
- Note: An [=RP ID=] is based on a [=host=]'s [=domain=] name. It does not itself include a [=origin/scheme=] or [=port=], as an [=origin=] does. The [=RP ID=] of a [=public key credential=] determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows: + Note: An [=RP ID=] is based on a [=origin/host=]'s [=domain=] name. It does not itself include a [=origin/scheme=] or [=port=], as an [=origin=] does. The [=RP ID=] of a [=public key credential=] determines its scope. I.e., it determines the set of origins on which the public key credential may be exercised, as follows: - The [=RP ID=] must be equal to the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=], or a [=is a registrable domain suffix of or is equal to|registrable domain suffix=] of the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=]. - One of the following must be true: