- From: J.C. Jones via GitHub <sysbot+gh@w3.org>
- Date: Thu, 14 Nov 2019 15:47:07 +0000
- To: public-webauthn@w3.org
> If we are thinking about having the user agent mandate visibility of cross-origin iframes that want to use WebAuthn then we have the problems you are describing. But it seems like a very good idea for RPs to use IOv2 as a guard against clickjacking. In some cases I think it might be essential for user security. Thanks for the pull-back to the big picture, @kenrb. You're right, and this is specifically about adding to the Security Considerations section. I'm in agreement, we should note for RPs' sake that they should consider using IOv2 to confirm that their WebAuthn UI is visible. I am not sure how to wordsmith that from the top of my head, as we also know that it appears most WebAuthn RPs would prefer to remain _invisible_ and keep the branding to the top level context, but nudging the community toward using IOv2 where applicable is a good idea. But I don't know how to use IOv2 to enforce things at the user agent, so I feel we should keep references, for now, in the Security Considerations section. Anyone want to take a quick stab at wordsmithing what an RP would want to know about use of IOv2? "Relying parties being embedded within a frame can use IOv2 to confirm that their WebAuthn user experience is visible to the user and compliant with their authentication guidelines..." or some such? -- GitHub Notification of comment by jcjones Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1105#issuecomment-553946995 using your GitHub account
Received on Thursday, 14 November 2019 15:47:08 UTC