Merge pull request #2018 from abergs/non-https-loophole

Adding flexibility in client origin scheme validation to align with real world implementations
w3c · Feb 21, 2024 · 3c71812 · 3c71812
2 parents bfe8f63 + 9f8fa53
commit 3c71812
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/index.bs b/index.bs
@@ -1338,10 +1338,12 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S
     [[#sctn-getAssertion]].
 
     <div class="note" id="note-pkcredscope">
-        Note: An [=RP ID=] is based on a [=host=]'s [=domain=] name. It does not itself include a [=scheme=] or [=port=], as an [=origin=] does. The [=RP ID=] of a [=public key credential=] determines its <dfn>scope</dfn>. I.e., it <dfn>determines the set of origins on which the public key credential may be exercised</dfn>, as follows:
+        Note: An [=RP ID=] is based on a [=origin/host=]'s [=domain=] name. It does not itself include a [=origin/scheme=] or [=port=], as an [=origin=] does. The [=RP ID=] of a [=public key credential=] determines its <dfn>scope</dfn>. I.e., it <dfn>determines the set of origins on which the public key credential may be exercised</dfn>, as follows:
 
             - The [=RP ID=] must be equal to the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=], or a [=is a registrable domain suffix of or is equal to|registrable domain suffix=] of the [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=effective domain=].
-            - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=scheme=] must be `https`.
+            - One of the following must be true:
+                - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=origin/scheme=] is `https`.
+                - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=origin/host=] is `localhost` and its [=origin/scheme=] is `http`.
             - The [=determines the set of origins on which the public key credential may be exercised|origin=]'s [=port=] is unrestricted.
 
         For example, given a [=[RP]=] whose origin is `https://login.example.com:1337`, then the following [=RP ID=]s are valid: `login.example.com` (default) and `example.com`, but not `m.login.example.com` and not `com`.