W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2019

[webauthn] Considerations on using WebAuthn in cross-origin iframes and Storage Access API (#1347)

From: Jiewen Tan via GitHub <sysbot+gh@w3.org>
Date: Tue, 19 Nov 2019 00:38:21 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-524702578-1574123899-sysbot+gh@w3.org>
alanwaketan has just created a new issue for https://github.com/w3c/webauthn:

== Considerations on using WebAuthn in cross-origin iframes and Storage Access API ==
On [WebAuthn Level 2](https://w3c.github.io/webauthn/#sctn-iframe-guidance), the spec utilizes [Feature Policy](https://www.w3.org/TR/feature-policy-1/) to allow a first party main frame to opt in for WebAuthn in a third party iframe. This new capability allows for a more streamlined experience for SSO or payments.

However, it doesn't consider [the Storage Access API](https://github.com/whatwg/html/issues/3338), which has to be used if the third party iframe is blocked from accessing its cookies. The API requires user interaction and may display its own prompt to the user. I believe the envisioned use cases do need third party cookie access in order to fulfill their functionalities. Therefore, we will end up in a situation that users might be prompted twice, once from WebAuthn and once from Storage Access API. This user experience doesn't sound more streamlined than the one utilizing a redirection or a pop up instead of the iframe where users won't be prompted by the Storage Access API.

To achieve the envisioned functionality, some spec work is needed to bridge WebAuthn and the Storage Access API. Some related issues are: [#1336](https://github.com/w3c/webauthn/issues/1336), [#1303](https://github.com/w3c/webauthn/issues/1303), and [#1293](https://github.com/w3c/webauthn/issues/1293).

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1347 using your GitHub account
Received on Tuesday, 19 November 2019 00:38:25 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:39 UTC