Re: [webauthn] restrict WebAuthentication API to only top level browsing context

> The challenge will be Google is using iframe to enable certain login scenario.

I'm not familiar enough with Google's U2F usage to comment on how/why `<iframe>` is used; @balfanz will certainly have more context there.

Are the frames same-origin? Same-eTLD+1?

> How would that be addressed?

We locked the credential management API to top-level contexts because we have no idea how to inform a user about the origin of frames. That is, it's difficult to explain to users what's going on when `doubleclick.net` asks for credentials (or asks to store credentials) from inside `example.com`. They see `example.com` in the address bar, that's the origin with which they're creating a trust relationship, but they're handing credentials to someone else. *shrug* It isn't at all a deep, philosophical opposition to the idea, but a practical "We don't know how to do this" feature we punted to The Distant Future(tm).

The Web Payments group has made different choices with their API, rendering UI that attributes the request to the top-level origin (with the justification that the top-level origin is what the user trusts, and that it's delegating the permission to the framed document via a content attribute on the frame element). I'm not sure that's a reasonable model for this API, but perhaps it is?

/cc @zkoch, @battre as an FYI.

-- 
GitHub Notification of comment by mikewest
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/374#issuecomment-285280557 using your GitHub account

Received on Thursday, 9 March 2017 07:56:06 UTC