Security & Privacy Self‐Review: Related Origin Requests

2.1 What information does this feature expose, and for what purposes?

This feature does not expose any new information.

2.2 Do features in your specification expose the minimum amount of information necessary to implement the intended functionality?

No

2.3 Do the features in your specification expose personal information, personally-identifiable information (PII), or information derived from either?

No, this feature does not expose personal information.

2.4 How do the features in your specification deal with sensitive information?

No, this feature does not deal with sensitive information.

2.5 Does data exposed by your specification carry related but distinct information that may not be obvious to users?

This feature allows a WebAuthn credential to be used with a different origin than it was originally created for. WebAuthn client display the calling origin to the user during credential selection.

2.6 Do the features in your specification introduce state that persists across browsing sessions?

No, this feature does not introduce any new persistent state.

2.7 Do the features in your specification expose information about the underlying platform to origins?

No, this feature does not expose information about the underlying platform to origins.

2.8 Does this specification allow an origin to send data to the underlying platform?

No, this feature does not allow an origin to send any new data to the underlying platform.

2.9 Do features in this specification enable access to device sensors?

No, this feature does not enable access to device sensors.

2.10 Do features in this specification enable new script execution/loading mechanisms?

No, this feature does not enable new script execution/loading mechanisms.

2.11 Do features in this specification allow an origin to access other devices?

No, this feature does not enable allow an origin to access other devices.

2.12 Do features in this specification allow an origin some measure of control over a user agent’s native UI?

No, this feature does not allow an origin some measure of control over a user agent’s native UI.

2.13 What temporary identifiers do the features in this specification create or expose to the web?

No, this feature does not create or expose any temporary identifiers to the web.

2.14 How does this specification distinguish between behavior in first-party and third-party contexts?

This feature allows a WebAuthn Relying Party to declare that a WebAuthn credential created for their RP IP, can be used in a limited set of third party contexts. The behavior is controlled by the user agent / WebAuthn client.

2.15 How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?

This feature works the same in Private Browsing / Incognito modes.

2.16 Does this specification have both "Security Considerations" and "Privacy Considerations" sections?

Yes, the WebAuthn specification has these sections.

2.17 Do features in your specification enable origins to downgrade default security protections?

No, this feature does not enable origins to downgrade default security protections.

2.18 What happens when a document that uses your feature is kept alive in BFCache (instead of getting destroyed) after navigation, and potentially gets reused on future navigations back to the document?

There is no change in behavior for this feature.

2.19 What happens when a document that uses your feature gets disconnected?

There is no change in behavior for this feature.

2.20 Does your spec define when and how new kinds of errors should be raised?

There are no new errors or error conditions defined by this feature.

2.21 Does your feature allow sites to learn about the user’s use of assistive technology?

No, this feature does not allow sites to learn about the user’s use of assistive technology.

2.22 What should this questionnaire have asked?

n/a