[Spec] Remove references to create in cross origin iframe #281
Conversation
The WebAuthn specification now allows credential creation in a cross origin iframe, as of w3c/webauthn#1801. As such, SPC no longer needs to override or add this behavior. We do retain (for now) the ability for the `"payment"` permission policy to allow credential create in an iframe, instead of requiring `"publickey-credentials-create"`. This should be removed one day, but one small step to unification at a time :). There is a small web-compat issue here. In the case of no transient user activation, the SPC specification used to throw a `SecurityError` error. However WebAuthn throws a `NotAllowed` error instead. See also Chrome bug https://crbug.com/41484826 Fixes #267
stephenmcgruer
force-pushed
the
remove-create-in-cross-origin-iframe
branch
from
4728e88 to
9ada5e5
Compare
|
This one might warrant some discussion in the WPWG, really just as a heads up to the changing error type - which will only happen for realz when we fix https://crbug.com/41484826 . |
|
Thanks for the review @ianbjacobs ! What do you want to do about the web compat issue wrt |
|
@stephenmcgruer, I'm not sure the WG will have much to add. Have you chatted with partners and do they have a preference? |
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
I think you're right; I'm just going to merge this, then we'll treat it like any compat bug between spec-and-impl in Chrome. (Including partner outreach). |
SHA: d095e26 Reason: push, by stephenmcgruer Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Calling navigator.credentials.create() in a cross-origin iframe without a user activation should result in a NotAllowedError, per the [WebAuthn spec]. However for 'payment' credentials, the SPC spec used to say to throw a SecurityError instead, and Chrome's implementation did exactly that. This contradiction was fixed in the SPC spec in w3c/secure-payment-confirmation#281, so that NotAllowedError is always the correct error to throw. This CL follows through in the Chrome implementation to align payment credential create with non-payment credentials. Because this change is a breaking one (the type of the error changes), the fix is behind a flag for now. We will be connecting with partners and following a standard web platform process for handling breaking changes. [WebAuthn spec]: https://w3c.github.io/webauthn/#sctn-createCredential Bug: 41484826 Change-Id: I133017586cac89b94eec1738831356d0398de0e0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6284564 Reviewed-by: Florin Malita <[email protected]> Reviewed-by: Ken Buchanan <[email protected]> Auto-Submit: Stephen McGruer <[email protected]> Commit-Queue: Florin Malita <[email protected]> Cr-Commit-Position: refs/heads/main@{#1422745}
The WebAuthn specification now allows credential creation in a cross origin iframe, as of w3c/webauthn#1801. As such, SPC no longer needs to override or add this behavior.
We do retain (for now) the ability for the
"payment"permission policy to allow credential create in an iframe, instead of requiring"publickey-credentials-create". This should be removed one day, but one small step to unification at a time :).There is a small web-compat issue here. In the case of no transient user activation, the SPC specification used to throw a
SecurityErrorerror. However WebAuthn throws aNotAllowederror instead. See also Chrome bug https://crbug.com/41484826Fixes #267
Preview | Diff