[w3ctag/design-reviews] Support WebOTP API and origin-bound one time code in cross-origin iframes (#604) from yi-gu on 2021-01-28 (public-webapps-github@w3.org from January 2021)

From: yi-gu <notifications@github.com>
Date: Thu, 28 Jan 2021 18:31:51 +0000 (UTC)
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/604@github.com>

HIQaH! QaH! TAG!

I'm requesting a TAG review of supporting WebOTP API and origin-bound one time code in cross-origin iframes.

The WebOTP API gives developers the ability to programmatically read one time codes from specially-formatted SMSes  addressed to their origin to reduce user friction. The [origin-bound one time code format](https://wicg.github.io/sms-one-time-codes/) is supported in Chrome and Safari. [WebOTP API](https://wicg.github.io/web-otp/) is supported in Chrome ([TAG review](https://github.com/w3ctag/design-reviews/issues/391), [I2S](https://groups.google.com/a/chromium.org/g/blink-dev/c/4QercWhVKP8/m/FnM5NkpnCgAJ)).

In the initial launch of the API, we deliberately ignored the cross-origin iframe support. Post launch, we are trying to add such support to address feature requests from the web developer community (e.g. Shopify, iCloud) and improve [interoperability](https://developer.apple.com/news/?id=z0i801mg).

Links for the general WebOTP API:
  - Explainer¹ of the general WebOTP API: [url](https://github.com/WICG/web-otp/blob/master/README.md)
  - Specification URL: [WebOTP API](https://wicg.github.io/web-otp/), [sms-one-time-codes](https://wicg.github.io/sms-one-time-codes/)
  - Security and Privacy self-review² for the general WebOTP API: [url](https://github.com/WICG/web-otp/blob/master/FAQ.md#self-review-questionnaire-security-and-privacy)
 
Links for cross-origin support:
  - Key pieces of existing multi-stakeholder review or discussion of this specification: https://github.com/WICG/sms-one-time-codes/issues/4

  - GitHub repo: [url](https://github.com/WICG/web-otp/issues/50)
  - Tests: [wpt](https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/web_tests/external/wpt/credential-management/)
  - Primary contacts (and their relationship to the specification):
      - @samuelgoto (editor, Google) @hober@(Editor, Apple), @yi-gu (Chrome implementation), @erynofwales (Safari implementation)
  - Organization(s)/project(s) driving the specification: Google, Apple
  
Further details:
  - [x] I have reviewed the TAG's [API Design Principles](https://w3ctag.github.io/design-principles/)
  - Relevant time constraints or deadlines: We like to ship this in Chrome M90
  - The group where the work on this specification is currently being done: WICG
  - The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue):

You should also know that...

The implication of the proposed modification:
 - Developers need to send SMS that complies with the updated format for cross-origin usage
   - Agreed [format](https://github.com/WICG/sms-one-time-codes/issues/4#issuecomment-761281590)

We'd prefer the TAG provide feedback as (please delete all but the desired option):

  🐛 open issues in our GitHub repo for **each point of feedback**


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/604

Received on Thursday, 28 January 2021 18:32:05 UTC