Spomky
commented
3 weeks ago As per the specification, Webauthn only works with secure connections, so HTTP is not allowed.
Open albanx opened 3 weeks ago
Spomky
commented
3 weeks ago As per the specification, Webauthn only works with secure connections, so HTTP is not allowed.
albanx
commented
3 weeks ago Localhost is allowed it works when I remove that condition
On Mon, 28 Oct 2024, 06:30 Florent Morselli, @.***> wrote:
As per the specification, Webauthn only works with secure connections, so HTTP is not allowed.
— Reply to this email directly, view it on GitHub https://github.com/web-auth/webauthn-framework/issues/656#issuecomment-2440664098 or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIUBKAVGFUL73HBKHC32O3Z5XKXNBFKMF2HI4TJMJ2XIZLTSOBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLLDTOVRGUZLDORPXI6LQMWWES43TOVSUG33NNVSW45FGORXXA2LDOOJIFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVEYTKOBXGQZTMMBYQKSHI6LQMWSWS43TOVS2K5TBNR2WLKRSGYYTMOJZGYYDSONHORZGSZ3HMVZKMY3SMVQXIZI . You are receiving this email because you authored the thread.
Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub .
albanx
commented
3 weeks ago Also if the specification forbids localhost, then that should be handle directly by the WebAuthN API of the browser, I believe an extra check might not be necessary
While testing in localhost the Verification of the response fails because it sends
http://localhostto the server.I think the following check should allow HTTP for localhost dev envs:
https://github.com/web-auth/webauthn-framework/blob/56520b7c8727ce22ecb1fa1eaf716141c7e21a62/src/webauthn/src/CeremonyStep/CheckOrigin.php#L46