#1127: WebAuthn Level 3: Related Origin Requests
Discussions
Log in to see TAG-private discussions.
Discussed
Aug 11, 2025 (See Github)
Matthew: Martin proposed a comment; LGTM; shall we ask him to post it?
Lola: Agree LGTM. Anyone have concerns?
Hadley: I don't disagree with any of it, but it's unclear to me what we want them to do.
Lola: When we resolve as unsatisfied, do we have to have an action item for them?
Hadley: No, but I would want to know what to do in order to make the TAG happy.
Lola: This seems simlar to RWS or other cross-origin stuff, where we say this goes against what we say for the web.
Hadley: I'd like to see something that gives them a next step.
Hadley requesting this on the private thread - we could come back to this in the plenary
Comment by @martinthomson Aug 14, 2025 (See Github)
The TAG has reviewed this and finds that the mechanism here is too similar to related website sets, for which we have provided more extensive feedback.
Overall, we're not satisfied that this is the right way to authorize cross-site communication or cross-site release of identification information. We do want to acknowledge that there are some redeeming aspects of this that make this more manageable than RWS. The use of prompting/choice UX that might look similar in nature to FedCM does a lot to mitigate the downsides of this approach, but we are not confident that this has been as carefully thought out as the FedCM interactions.
If those UX interactions prove to be as good as FedCM, then the method by which different sites authorize each other seems redundant in that context; a simpler approach is probably enough.
OpenedJul 31, 2025
This tracks this as something separate from the main #1085 review request.
<!-- Content below this is maintained by @w3c-tag-bot -->Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1127