Re: [webauthn] Prohibit Create Credential from cross-origin iframes (#1336)

@jcjones wrote:

>  I would like to propose that we specify WebAuthn's Create Credential operation be only callable from the top-level context.

Do you actually mean to say "...only callable from browsing contexts that are top-level or [same-origin with their ancestors](https://www.w3.org/TR/credential-management-1/#same-origin-with-its-ancestors)" ? 

Because, currently, as spec'd in WebAuthn L1's [Section 5.1.3. Create ... Method](https://www.w3.org/TR/webauthn/#createCredential), one can create creds in contexts that are same-origin with their ancestors (step 2 therein).

The analysis above and your hypothesis of actors being able to create a `https://worldwide.panopticon.tracker/` that would behave as discussed sounds nominally plausible. I've found some seemingly-relevant recent conference papers, as well as tech press articles wrt Web Push abuse in the wild, to go digest. 

In the meantime I'm interested in others' comments on this proposal.

WRT changes to the WebAuthn spec (post landing of PR #1276) that this issue would cause: in concrete terms, the change would be fairly simple -- it means restoring the check of the `sameOriginWithAncestors` parameter in [`[[Create]]()`](https://www.w3.org/TR/webauthn/#createCredential) that PR #1276 is removing (i.e., restoring only that check assumes that same-origin iframe usage is actually ok).




-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1336#issuecomment-548150652 using your GitHub account

Received on Wednesday, 30 October 2019 23:10:29 UTC