File: origins.md

package info (click to toggle)
chromium 138.0.7204.183-1~deb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm-proposed-updates
  • size: 6,080,960 kB
  • sloc: cpp: 34,937,079; ansic: 7,176,967; javascript: 4,110,704; python: 1,419,954; asm: 946,768; xml: 739,971; pascal: 187,324; sh: 89,623; perl: 88,663; objc: 79,944; sql: 50,304; cs: 41,786; fortran: 24,137; makefile: 21,811; php: 13,980; tcl: 13,166; yacc: 8,925; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (7 lines) | stat: -rw-r--r-- 905 bytes parent folder | download | duplicates (8) 
1
2
3
4
5
6
7
 
# Origins that support WebAuthn

WebAuthn is [only available](https://www.w3.org/TR/webauthn-2/#sctn-api) to pages which are in a [secure context](https://w3c.github.io/webappsec-secure-contexts/#intro). Specifically, pages served from the following origins can use WebAuthn:

1. HTTPS pages with a valid certificate. These pages can assert an RP ID that follows [the standard rules](https://www.w3.org/TR/webauthn-2/#rp-id), i.e. labels can be removed from the left of the domain until an eTLD+1 is hit.
2. HTTP pages served from `localhost` or a domain ending in `.localhost`. These pages follow the same rules for asserting an RP, where `localhost` is considered a TLD.
3. Pages served from an extension, e.g. with the `chrome-extension` scheme in Chrome or similar schemes in other Chromium-based browsers. These pages should leave the RP ID fields in WebAuthn structures blank to accept the default.