Explain why RP origin validation helps even with scoping rules

w3c · Jul 26, 2023 · 5ecbf28 · 5ecbf28
1 parent 9135767
commit 5ecbf28
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/index.bs b/index.bs
@@ -8347,6 +8347,14 @@ When [registering a credential](#rp-op-registering-a-new-credential-step-origin)
 when [verifying an assertion](#rp-op-verifying-assertion-step-origin),
 the [=[RP]=] MUST validate the {{CollectedClientData/origin}} member of the [=client data=].
 
+The [=[RP]=] MUST NOT accept unexpected values of {{CollectedClientData/origin}},
+as doing so could allow a malicious website to obtain valid [=credentials=].
+Although the [=scope=] of [=WebAuthn credentials=] prevents their use on domains
+outside the [=RP ID=] they were registered for,
+the [=[RP]=]'s origin validation serves as an additional layer of protection
+in case a faulty [=authenticator=] fails to enforce credential [=scope=].
+See also [[#sctn-code-injection]] for discussion of potentially malicious subdomains.
+
 Validation MAY be performed by exact string matching or any other method as needed by the [=[RP]=].
 For example:
 
@@ -8373,11 +8381,6 @@ For example:
     {{CollectedClientData/origin}} exactly equals some element of the list
     <code>["https://example.org", "example-os:appid:204ffa1a5af110ac483f131a1bef8a841a7adb0d8d135908bbd964ed05d2653b"]</code>.
 
-In order to prevent [=man-in-the-middle attacks=],
-the [=[RP]=] MUST NOT accept unexpected values of {{CollectedClientData/origin}},
-as doing so could allow a malicious website to obtain valid [=credentials=].
-See [[#sctn-code-injection]] for further discussion.
-
 Similar considerations apply when validating the {{CollectedClientData/topOrigin}} member of the [=client data=].
 When {{CollectedClientData/topOrigin}} is present, the [=[RP]=] MUST validate that its value is expected.
 This validation MAY be performed by exact string matching or any other method as needed by the [=[RP]=].