Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

§5.10 needs revision to mention cross-domain create in iframes #2229

Closed
emlun opened this issue Jan 14, 2025 · 0 comments · Fixed by #2231
Closed

§5.10 needs revision to mention cross-domain create in iframes #2229

emlun opened this issue Jan 14, 2025 · 0 comments · Fixed by #2231
Assignees
@emlun
Labels
stat:pr-open type:editorial
Milestone
L3 Candidate Reco...

Comments

@emlun
Copy link
Member

emlun commented Jan 14, 2025

§5.10. Using Web Authentication within iframe elements reads in full:

The Web Authentication API is disabled by default in cross-origin iframes. To override this default policy and indicate that a cross-origin iframe is allowed to invoke the Web Authentication API's [[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) method, specify the allow attribute on the iframe element and include the publickey-credentials-get feature-identifier token in the allow attribute’s value.

Relying Parties utilizing the WebAuthn API in an embedded context should review § 13.4.2 Visibility Considerations for Embedded Usage regarding UI redressing and its possible mitigations.

Since merging #1801 this is also allowed in create() operations. The above section needs to be updated to mention this too.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@emlun emlun

Labels
stat:pr-open type:editorial
Projects
None yet
Milestone
L3 Candidate Recommendation
Development

Successfully merging a pull request may close this issue.

Address cross-origin create() in §5.10 w3c/webauthn
1 participant
@emlun