MasterKale
commented
11 months ago WebAuthn is available in "secure contexts", which includes:
Locally-delivered resources such as those with http://127.0.0.1 URLs, http://localhost and http://*.localhost URLs (e.g. http://dev.whatever.localhost/), and file:// URLs are also considered to have been delivered securely.
Resources that are not local, to be considered secure, must meet the following criteria:
- must be served over https:// or wss:// URLs
- the security properties of the network channel used to deliver the resource must not be considered deprecated
https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts
The availability of WebAuthn over http://localhost addresses is a good thing, and it helps developers test locally before deploying to https:// addresses. We can't enforce use of HTTPS in py_webauthn because it would break local development flows.
Whilst working on #182 I added some validation to ensure that all origins are HTTPS which caused a lot of tests to fail. HTTPS is a requirement of webauthn, so would be nice to have the tests using it.