From 561144ed0cf95123e66dcf68703db4a3084cd6d3 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 1 Oct 2024 15:02:13 +0200 Subject: [PATCH 1/2] Validate CollectedClientData.crossOrigin in RP ops --- index.bs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/index.bs b/index.bs index 0db3e9d0a..f873cce84 100644 --- a/index.bs +++ b/index.bs @@ -5939,6 +5939,10 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o See [[#sctn-validating-origin]] for guidance. +1. If |C|.{{CollectedClientData/crossOrigin}} is present and set to [TRUE], + verify that the [=[RP]=] expects that this credential would have been created within an iframe + that is not [=same-origin with its ancestors=]. + 1. If |C|.{{CollectedClientData/topOrigin}} is present: 1. Verify that the [=[RP]=] expects that this credential would have been created within an iframe that is @@ -6162,6 +6166,10 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o See [[#sctn-validating-origin]] for guidance. +1. If |C|.{{CollectedClientData/crossOrigin}} is present and set to [TRUE], + verify that the [=[RP]=] expects that this credential would have been created within an iframe + that is not [=same-origin with its ancestors=]. + 1. If |C|.{{CollectedClientData/topOrigin}} is present: 1. Verify that the [=[RP]=] expects this credential to be used within an iframe that is not [=same-origin with its ancestors=]. From aa8728aa5504769fce9c0fe765a8815f0a77e24b Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Thu, 3 Oct 2024 14:57:05 +0200 Subject: [PATCH 2/2] Fix create-to-get copy-paste error --- index.bs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/index.bs b/index.bs index f873cce84..edaba02c4 100644 --- a/index.bs +++ b/index.bs @@ -6167,8 +6167,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o 1. If |C|.{{CollectedClientData/crossOrigin}} is present and set to [TRUE], - verify that the [=[RP]=] expects that this credential would have been created within an iframe - that is not [=same-origin with its ancestors=]. + verify that the [=[RP]=] expects this credential to be used within an iframe that is not [=same-origin with its ancestors=]. 1. If |C|.{{CollectedClientData/topOrigin}} is present: