Re: [webauthn] Explicitly prohibit use of WebAuthn from non-visible cross-origin iframes (#1303) from Adam Langley via GitHub on 2019-10-09 (public-webauthn@w3.org from October 2019)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Wed, 09 Oct 2019 19:30:35 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-540154092-1570649434-sysbot+gh@w3.org>

From call of 2019-10-09: since the cross-origin case is disabled by default without an `allow` blessing, I'm not sure about the utility of this. If we force an iframe to be visible, it can still be white on a white background, so I couldn't use that in a security argument either I suspect. Thus I hope that disabled-by-default is a good safeguard and, if not, would be interested to know others' motivations.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1303#issuecomment-540154092 using your GitHub account

Received on Wednesday, 9 October 2019 19:30:36 UTC