search

WICG / sms-one-time-codes

A way to format SMS messages for use with browser autofill features such as HTML’s autocomplete=one-time-code.
https://wicg.github.io/sms-one-time-codes/
Other
111 stars 12 forks source link

A mechanism for strict domain matching #12

Open erynofwales opened 3 years ago

erynofwales commented 3 years ago

I think it would be useful to allow a service that wants to send domain-bound codes to be able to opt into a stricter matching mechanism. Common examples that come to mind are hosting services or blog services that have user login on their TLD-plus-one and serve user content from subdomains. For example, Example Hosting Service has a login form on example.com and serves userA's content from userA.example.com.

Under our current matching scheme a code sent as @example.com #123456 would match example.com and userA.example.com since they're "same site" with each other. We should give these sites a way to express that they only want to match with example.com and no subdomains with a minimal amount of extra syntax. I think a natural extension of what we have so far is to use two @ signs as the field sigil. So, an SMS that reads @@example.com #123456 would match only example.com.

hober commented 3 years ago

IIRC one of the big advantages of using the @ character as the sigil is that it breaks auto-linkification of the hostname on most/all major platforms. Is that the case for double-@ too?

erynofwales commented 3 years ago

I did a quick test on iOS and @@ avoids linkifying, just like @ does. I think that's the case on Android too -- I tried testing on an Android device and it didn't linkify -- but I don't know for sure.