zacknewman
commented
1 month ago The reason I phrased this more generally was regarding your point about other use cases of PRF that don't require results to remain client-side:
Hm. I wanted to say that yes, this should be obvious enough in the use cases where this is relevant, and that there are other use cases where you actually do want to send the PRF outputs to the server.
I generalized even further to apply to any extension. As I stepped back from the issue, I was starting to think I was partial in my worry seeing how I'm only familiar with PRF in the context of password managers. Seemingly any extension could be used for any purpose; therefore one should always be careful about what data is sent back to the server based on their use case. Sure one example is PRF in the context of password managers, but what's to stop an RP from using another extension?
If you want to apply this disclaimer on a case-by-case basis, then I suppose that's OK.
Closes #2177.
Preview | Diff