#1127: WebAuthn Level 3: Related Origin Requests
Discussions
Log in to see TAG-private discussions.
Discussed
Aug 11, 2025 (See Github)
Matthew: Martin proposed a comment; LGTM; shall we ask him to post it?
Lola: Agree LGTM. Anyone have concerns?
Hadley: I don't disagree with any of it, but it's unclear to me what we want them to do.
Lola: When we resolve as unsatisfied, do we have to have an action item for them?
Hadley: No, but I would want to know what to do in order to make the TAG happy.
Lola: This seems simlar to RWS or other cross-origin stuff, where we say this goes against what we say for the web.
Hadley: I'd like to see something that gives them a next step.
Hadley requesting this on the private thread - we could come back to this in the plenary
Comment by @martinthomson Aug 14, 2025 (See Github)
The TAG has reviewed this and finds that the mechanism here is too similar to related website sets, for which we have provided more extensive feedback.
Overall, we're not satisfied that this is the right way to authorize cross-site communication or cross-site release of identification information. We do want to acknowledge that there are some redeeming aspects of this that make this more manageable than RWS. The use of prompting/choice UX that might look similar in nature to FedCM does a lot to mitigate the downsides of this approach, but we are not confident that this has been as carefully thought out as the FedCM interactions.
If those UX interactions prove to be as good as FedCM, then the method by which different sites authorize each other seems redundant in that context; a simpler approach is probably enough.
Discussed
Dec 1, 2025 (See Github)
Philippe: Had a discussion with the web payments working group this week. https://github.com/w3ctag/design-reviews/issues/1127
Apparently this caused a lot of confusion.
This issue was created in the TAG repo, not in the specification review. Martin comment and closed the issue. We received a request for the document two weeks ago. it looks like the WG didn't address the issue, so we declined to allow them to move forwrd, asking for clarification. They said "the issue was closed". We suggested that they should consider addressing the spec. We understand that some people met with the group on Sep 3. There were no conclusions or minutes. I need to understand if this is OK with the TAG or if you have an issue with it. If there is an issue, then I would like the TAG to open an issue against the specification so that the group can address it properly.
Jeffrey: I feel like the TAG still has an issue with the spec. It's fine to ask us to open that issue. I don't think that we can decide that a spec doesn't advance, but the group should document how they handled the objection. I think
Martin: Can recover state and open an issue.
PLH: You are not the only one to have feedback, so this is not on the critical path. but sooner is better. We need clarity.
Matthew: From TAG perspective, it's quite clear that the way the issue was closed was not satisfied. it was closed because our work was done. Others can ask us to reopen if they have new information. Maybe there is a misunderstanding about how the TAG works. It's totally normal for a horizontal review group to raise issues in the originating repository, but I don't think that we have consensus that the TAG is a horizontal review group. So we tend to just provide feedback on our threads and don't have issues with other groups. The non-standard part here is that this is a separate issue; so maybe they missed it.
PLH: They weren't aware or considered the issue resolved.
Matthew: the high-level issue was resolved satisfied, so maybe there was a problem with the way the review was requested. This was not one review for one feature. 1127 was linked from the main thread and it was clear.
PLH: If you open an issue in their repo, that will close the loop.
Yves: It's quite likely that the WG did look only at the label and not at the content of the feedback when closing the issue. That's what I heard. Perhaps this was not as explicit about the connection to first party sets.
PLH: This issue is not gone. I want that to be on the record. Both the TAG and privacy people think that this should not be in the spec. Apparently three browsers already implement the feature. This is not an easy issue at all.
Lola: Happy to be corrected, but we as TAG do not say whether or not browsers implement something. We say whether or not it should be implemented as proposed. It doesn't matter that browsers implement, because that's not what we are commenting on. I do think that Martin's comment is quite thorough in what we disagree with on both issues and the part is what is similar to related website sets, regardless of who implements it. They are free to pursue this, they don't need to listen to the TAG. But I don't know how we could be clearer about the issue we have based on the comment that already exists. Asking Martin to open an issue on their thing feels redundant. Unless the request is to re-review what they submitted.
Jeffrey: The idea is just to ensure that the issue is tracked somewhere.
Lola: PLH, did you say that their fix is "the browsers have implemented"
PLH: I don't want to speak for them, but they are not likely to do anything. Difficult situation. Can we pretend that reality doesn't exist, or is there something else we can do?
Jeffrey: There is always the option to file a formal objection. At which point we'd get another go at this on a council. ...Lola said that we don't care what is in browsers. I think that we do care, but we are not dictators, only advisors.
PLH: Question about how much we want specs to reflect reality.
Jeffrey: We have next steps. We will see what the WG wants.
Discussed
Jun 29, 2026 (See Github)
Heather: Yves asked this to be here. I think based on what I see, we are waiting for the WG. Ehsan is only there.
Matthew: there is a transition request 4 days ago.
Heather: did they do what we asked them to do?
Matthew: it is unresolved in the Gh, and they have not respond on this. Can they respond after the call?
Hadley: yes they can
Matthew: it looks like they did add the things we told them not to.
Heather: phillip said "please re
Hadley: we can reopen issues.
Matthew: it doesn't seem like a good precedent so I am not for it.
Hadley: I don't think it matters for others.
Matthew: I put the link in the chat that goes directly to the text that looks like they added the piece precisely to the spec.
Hadley: what is it that they wanted?
Matthew: it looks like related origins is the issue.
Heather: it seems like they did what we asked them not to. what should we do now? should we reach out phillip and express we are not for it.
Hadley: has our position changed since then?
Matthew: it is a shame they did not respond. Shoudl we ask the chairs of the group and asked them has it changed and did they di anything as a result of our position?
Hadley: yes, for transparecncy, we can put the text in the reposnse and ask the chairs if anything changed based on that.
Matthew: I have put the link, I think Yves already put a comment on this, expressing the sae concern.
Heather I think we need to assign someone as it looks lengthy.
Hadley: I am half way through and it seems no much changed except for the beginning.
Heather: what does it mean to have a MDN checkmark in the diff?
Hadley: I guess reviwed by MDN?
Marcos: it documented and linked to the documentation. The checkbox means it is supported by browsers.
Heather: in that case, if there is no relevance to the topic, what changed?
Matthew: I have put a link in chat on the changed. The section on cross-origin is added.
Matthew: section 14.5.5 seems to be thee change. It seems it is fair to ask them. I think Ives asked that though.
Heather: I think we need to ask as TAG that we agree with Ives questions and ask chair about what is going on.
Heather: do you think Hadley should do it or I?
Hadley: it doesn't matter.
Heather: who want to talk about it to webauthn?
OpenedJul 31, 2025
This tracks this as something separate from the main #1085 review request.
<!-- Content below this is maintained by @w3c-tag-bot -->Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1127