W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2018

Re: cross-origin framing of webauthn-wielding origins (WebAuthn + Web Payments)

From: Stefan Zager <szager@google.com>
Date: Wed, 16 May 2018 09:46:28 -0700
Message-ID: <CAHOQ7J9FAhqmVKPJ=MKQ7JLaz2VdrCFvx3Ra6EL1bKd7s3B4YQ@mail.gmail.com>
To: public-webappsec@w3.org
> 4. AND, find some solution for the "Origin Confusion" conundrum [13]
> (this may be the most severe obstacle to address) and any other relevant
> security considerations in both credman & webauthn [0], such as
> clickjacking. The latter is a major concern for such "powerful" framed
> content. It seems Intersection Observer v2 [14] with its
> "trackVisibility" attribute which reports [16] whether whether an
> element is unoccluded, untransformed, unfiltered, and opaque (i.e.,
> _visible_) may (drum roll) offer the needed solution here.

Indeed, the scenario you describe is *precisely* the motivation for
IntersectionObserver V2. I'm currently in the process of prototyping V2 in
chromium, and still shopping around the spec proposal, so I'd be very
interested in any feedback you can provide about its usefulness and design.

Thanks,

Stefan
Received on Wednesday, 16 May 2018 16:47:03 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 16 May 2018 16:47:04 UTC