Re: cross-origin framing of webauthn-wielding origins (WebAuthn + Web Payments) from Stefan Zager on 2018-05-16 (public-webappsec@w3.org from May 2018)

From: Stefan Zager <szager@google.com>
Date: Wed, 16 May 2018 09:46:28 -0700
To: public-webappsec@w3.org
Message-ID: <CAHOQ7J9FAhqmVKPJ=MKQ7JLaz2VdrCFvx3Ra6EL1bKd7s3B4YQ@mail.gmail.com>

> 4. AND, find some solution for the "Origin Confusion" conundrum [13]
> (this may be the most severe obstacle to address) and any other relevant
> security considerations in both credman & webauthn [0], such as
> clickjacking. The latter is a major concern for such "powerful" framed
> content. It seems Intersection Observer v2 [14] with its
> "trackVisibility" attribute which reports [16] whether whether an
> element is unoccluded, untransformed, unfiltered, and opaque (i.e.,
> _visible_) may (drum roll) offer the needed solution here.

Indeed, the scenario you describe is *precisely* the motivation for
IntersectionObserver V2. I'm currently in the process of prototyping V2 in
chromium, and still shopping around the spec proposal, so I'd be very
interested in any feedback you can provide about its usefulness and design.

Thanks,

Stefan

Received on Wednesday, 16 May 2018 16:47:03 UTC