W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2019

Re: [webauthn] Prohibit Create Credential from cross-origin iframes (#1336)

From: kenrb via GitHub <sysbot+gh@w3.org>
Date: Fri, 08 Nov 2019 15:51:11 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-551880608-1573228270-sysbot+gh@w3.org>
To briefly summarize what I think is above (please let me know if anything here is off):
1. The Push API problem is not directly relevant to the cross-origin iframe proposal, but serves an example of how an incidental abuse case can cause harm to users and cause UA implementers to have to roll back capabilities, and so the suggestion is that we should err on the side of caution.
2. The abuse case here is user tracking in a post-3p-cookie world. A tracking iframe could accumulate user profile across sites if it can do the following:
  a) Induce the user to create a credential for the tracker's origin on their authenticator.
  b) Correctly guess the user's identity when they visit other sites that the tracker is embedded on (or else guess that the authenticator supports resident keys?).
  c) Induce the user to activate the authenticator (UP or UV) on each of those sites. This could confirm the heuristic guess and allow a data point to be added to the profile of the user being tracked.

It's not clear to me that this is plausible, since the high bar for success would limit the amount of tracking data to be gained, and also the abusive behaviour would be easily visible to users and embedding site authors.

Conversely, I do think there are legitimate use cases for MakeCredential in cross-origin iframes. If a payment service is embedded in a merchant, it would not have an easy way to bootstrap users to using WebAuthn, other than doing a full page redirect or a popup, both of which create very high abandonment rates for transactions.

We certainly need to be careful about adding new tracking modes to the web, but at the same time it doesn't seem right to be limiting use cases, and potentially adoption, for the sake of attacks that may not be practical.

GitHub Notification of comment by kenrb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1336#issuecomment-551880608 using your GitHub account
Received on Friday, 8 November 2019 15:51:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:08 UTC