[messaging] abusing u2f
Joseph Birr-Pixton
jpixton at gmail.com
Fri Mar 25 13:52:59 PDT 2016
On 25 March 2016 at 20:31, Tom Ritter <tom at ritter.vg> wrote:
> The "list of equivalent origins" when I read the spec did _not_ allow
> other web origins. This was a hard "No". It only worked with mobile
> apps. Has this been relaxed? If so, it's a major privacy problem.
I don't think it has been relaxed. The other web origins are required
to share the same 'public parts' (like .com) plus at least one
'private part' (like example), such that www.example.com and
accounts.example.com can share, but not baddie.example2.com.
Cheers,
Joe
More information about the Messaging
mailing list