Permit silently storing PSL matched credentials #59
Conversation
There was a problem hiding this comment.
You'll need to update https://w3c.github.io/webappsec-credential-management/#store-siteboundcredential as well. Currently, the credential that's returned to the page would have an internal [[origin]] slot of the original origin, not the origin on which get() was called. I think you'll need to add some logic there to copy the credential information into a new PasswordCredential with a different origin, or add some verbage here in this section about how exactly the chooser would synthesize a new PasswordCredential object.
Also, that algorithm asks for user permission, so you'll probably want to either note the carveout and point back to this section, or come up with a better way of describing when the chooser should be presented.
| {{CredentialsContainer/store()}} is called if the credential was | ||
| retrieved via a user mediated {{CredentialsContainer/get()}} from a | ||
| PSL-matched domain and new domain is still PSL-matching the original | ||
| domain for which the credentials were stored. |
| MAY store credentials without user mediation when | ||
| {{CredentialsContainer/store()}} is called if the credential was | ||
| retrieved via a user mediated {{CredentialsContainer/get()}} from a | ||
| PSL-matched domain and new domain is still PSL-matching the original |
There was a problem hiding this comment.
I think we could be a little more precise. How about something like: "... via a user-mediated {{CredentialsContainer/get()}}, if the credential's {{[[origin]]}}'s <a>registerable domain</a> is the same as the <a>current settings object</a>'s <a for="environment settings object">origin</a>'s <a>registerable domain</a>."
| <div class="example"> | ||
| A user stores a credential for <code>https://www.example.com/</code> on | ||
| their computer. This credential is synced via the browser's syncing | ||
| technologies to the user's phone. The user visits |
There was a problem hiding this comment.
Nit: I'd suggest dropping the sync bit. It's irrelevant to your example.
"""
A user stores a credential after creating an account for https://accounts.example.com/. When they wish to sign into https://example.com/ in the future, the user agent can offer that credential in response to {{CredentialsContainer/get()}} with user mediation, as described above. If the user chooses that credential, the website can call {{CredentialsContainer/store()}} to ensure that the credential is available to https://example.com/ in the future. Since the two origins have the same registerable domain, and the user indicated that the credentials are valid for both origins, the user agent can store a credential for https://example.com/ without further prompting.
"""
| </ol> | ||
|
|
||
| <div class="example"> | ||
| A user stores a credential for <code>https://www.example.com/</code> on |
There was a problem hiding this comment.
Nit: s/<\/?code>/`/, here and elsewhere.
Explicitly allow a browser to silently store PSL matched credentials so that they can become eligible to non-mediated provisioning.
Fixes #43.
Preview | Diff