[webauthn] Considerations on using WebAuthn in cross-origin iframes and Storage Access API (#1347) from Jiewen Tan via GitHub on 2019-11-19 (public-webauthn@w3.org from November 2019)

From: Jiewen Tan via GitHub <sysbot+gh@w3.org>
Date: Tue, 19 Nov 2019 00:38:21 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-524702578-1574123899-sysbot+gh@w3.org>

alanwaketan has just created a new issue for https://github.com/w3c/webauthn:

== Considerations on using WebAuthn in cross-origin iframes and Storage Access API ==
On [WebAuthn Level 2](https://w3c.github.io/webauthn/#sctn-iframe-guidance), the spec utilizes [Feature Policy](https://www.w3.org/TR/feature-policy-1/) to allow a first party main frame to opt in for WebAuthn in a third party iframe. This new capability allows for a more streamlined experience for SSO or payments.

However, it doesn't consider [the Storage Access API](https://github.com/whatwg/html/issues/3338), which has to be used if the third party iframe is blocked from accessing its cookies. The API requires user interaction and may display its own prompt to the user. I believe the envisioned use cases do need third party cookie access in order to fulfill their functionalities. Therefore, we will end up in a situation that users might be prompted twice, once from WebAuthn and once from Storage Access API. This user experience doesn't sound more streamlined than the one utilizing a redirection or a pop up instead of the iframe where users won't be prompted by the Storage Access API.

To achieve the envisioned functionality, some spec work is needed to bridge WebAuthn and the Storage Access API. Some related issues are: [#1336](https://github.com/w3c/webauthn/issues/1336), [#1303](https://github.com/w3c/webauthn/issues/1303), and [#1293](https://github.com/w3c/webauthn/issues/1293).

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1347 using your GitHub account

Received on Tuesday, 19 November 2019 00:38:25 UTC