Re: [webauthn] restrict WebAuthentication API to only top level browsing context from Jeffrey Yasskin via GitHub on 2017-04-05 (public-webauthn@w3.org from April 2017)

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Wed, 05 Apr 2017 05:52:05 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-291761341-1491371524-sysbot+gh@w3.org>

@clelland is working on [Feature Policy](https://wicg.github.io/feature-policy/) to give the top-level frame the ability to selectively grant APIs to its children. If you restrict WebAuthn to the top-level frame now, that lets you migrate to the more explicitly-permissive world in the future, whereas if you leave it totally open, backward compatibility will make it hard to establish the more restrictive default when Feature Policy is more widely supported.

It's likely also safe to allow same-origin iframes access now.

-- 
GitHub Notification of comment by jyasskin
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/374#issuecomment-291761341 using your GitHub account

Received on Wednesday, 5 April 2017 05:52:12 UTC